edf40fa9eea084eaf7376d6da88dc959ba247a2bdf2fa5a3859b0bc312a18084

Analysis

max time kernel
120s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055724e070b10f9937e3509b718b2aa0N.exe
Size

56KB
MD5

055724e070b10f9937e3509b718b2aa0
SHA1

eaf5fe1b0f87d1915f3fdcad0c8f96acf649bcc1
SHA256

edf40fa9eea084eaf7376d6da88dc959ba247a2bdf2fa5a3859b0bc312a18084
SHA512

aa65e15930441fb6370e492a0628b351ca7194038e9289b7dff55d304f1853747ffc4ad9677189607282460a55f442d1d00a25cba072bd3aa21c88bee2e341ff
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mKV:V7Zf/FAxTWoJJZENTNyl2Sm0ma

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002348b-2.dat	upx
behavioral2/files/0x0014000000022907-6.dat	upx
behavioral2/memory/2868-1968-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\vi.pak.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	055724e070b10f9937e3509b718b2aa0N.exe

C:\Users\Admin\AppData\Local\Temp\055724e070b10f9937e3509b718b2aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\055724e070b10f9937e3509b718b2aa0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721909339-1374969515-2476821579-1000\desktop.ini.tmp

Filesize
56KB

MD5
37ac0c93650dded0ee27b452633f4a44

SHA1
e78504df812a68d870b55101bf50175ede98f1ff

SHA256
cee81c8c4d34a0dddabccabe35655e8ee09e81444fdc98c342fa5cf75b7381e7

SHA512
1dbac7a2b4b44cd788083b8d326400a8d837d3e708cf3b8baf5dcabcd4f148f1926985bdfd0110e93ab2c16570d104037143eb2a9de2932b3effc9e914635915

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
5be89c778f7cabc0cae7255bf98184b8

SHA1
11fb55fe5af379b7a50c5a376d78259152032d05

SHA256
172f9e1d05c2a29f4b5901722eeb9230bb4d6ae49e3ab660ccf99e89cb889094

SHA512
88d8a9db82b7c4beaf49fbfd53b33eed2729785c9e53686f7c5d1b6fdb2bb4446e96f3b1a9f1ec398d1e846258ab735921d501825795cb2c95a2856215a445f7

Download Submit
memory/2868-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2868-1968-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download