8c88ace5fd39d30dbc0ffd64a37af392fd5fce4c03dcb2feeae94a04a9a54361

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b034e368d7831f0501f70ec25e0b3a0N.exe
Size

46KB
MD5

2b034e368d7831f0501f70ec25e0b3a0
SHA1

84b6b261d9027a22746de25ac9e33f175bc0ee40
SHA256

8c88ace5fd39d30dbc0ffd64a37af392fd5fce4c03dcb2feeae94a04a9a54361
SHA512

44ab12f5c3c502bd39f06a31eee50213bb6cc601aa0fc1a08655d4f744581124fd7b689dfda209bac0feee37b32d3eab8ac5ba2d326e158d4a8f91142276c469
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJBZBZaOAOIB3jM2jMZfL:V7Zf/FAxTWoJJB7LD2I2IZfL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3381) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3088-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023466-2.dat	upx
behavioral2/files/0x0014000000022932-6.dat	upx
behavioral2/memory/3088-1542-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vk_swiftshader_icd.json.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\es-419.pak.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\af.pak.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	2b034e368d7831f0501f70ec25e0b3a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b034e368d7831f0501f70ec25e0b3a0N.exe

C:\Users\Admin\AppData\Local\Temp\2b034e368d7831f0501f70ec25e0b3a0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b034e368d7831f0501f70ec25e0b3a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
46KB

MD5
e32853bc688df8406e4c632b2f0d5656

SHA1
3225cb35ca5cbf4a6c8c06ef9e1d982c1affa0a9

SHA256
80d70f1c8150dbdc824fe4881175a04e0fab8fc92819954f7ea7e72f9e639ed7

SHA512
0cb5676d4c69de9524f952509f9718a9db21f8743f4bb4f8b7927818b721a612b3f2627159095882da5e0b20d3ae229a5a485490a1f79bb2f18c4fefacb28987

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
fd120769ac58eafe0da543e9daffcfa3

SHA1
66b0bc42b0bad18d92b854a8b72058f2b0f2e6e0

SHA256
4250e692fa73b140b71a5c97a230b39bbb08e0d0b7e4d143ce1569acbc9eab3f

SHA512
58d33990d8648605f2abe23b42ed39323a2735710a5023e9c5e14b324db921b97f4bba00b5dec850dccd0c302d4beae55fbd24cf1d4272225cbc83460d97fc9c

Download Submit
memory/3088-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3088-1542-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download