4814714af2d73bd5f7778b9db5a71705984e904d8d8c53914d84204034cd9e5c

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14aed829459d09cb43656c52398007e0N.exe
Size

47KB
MD5

14aed829459d09cb43656c52398007e0
SHA1

e4b7be314bf92c6ef55c9753bf3ab42f49bd6632
SHA256

4814714af2d73bd5f7778b9db5a71705984e904d8d8c53914d84204034cd9e5c
SHA512

2cb27259f561bb07354b46acff35b52602a8edd964d9672d21aa16bcc13271a20dd1292b73910c82276402929b828bc2255c7daa6191c1a4c156ac1c391b5240
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJXGiXZqV92N2X:V7Zf/FAxTWoJJXUVYoX

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4670) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4884-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023421-2.dat	upx
behavioral2/files/0x0014000000022907-6.dat	upx
behavioral2/memory/4884-1956-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fil.pak.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ro.pak.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\CloseMount.aiff.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	14aed829459d09cb43656c52398007e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	14aed829459d09cb43656c52398007e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14aed829459d09cb43656c52398007e0N.exe

C:\Users\Admin\AppData\Local\Temp\14aed829459d09cb43656c52398007e0N.exe
"C:\Users\Admin\AppData\Local\Temp\14aed829459d09cb43656c52398007e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721909339-1374969515-2476821579-1000\desktop.ini.tmp

Filesize
48KB

MD5
3c01ccf2c8e9cc0ccca86b9ff96fd0c2

SHA1
3236a08ec56311be01ffaa3a73b00ae764571e4e

SHA256
05ef66ec07ca690c82db23c06261b4d62842cbb84273aabf7ce5320aa57b297c

SHA512
5a60114b5dcb4d7687d08cbbd4762fe8f693d1e4c041bc42338560e9a9b9f5d7a3a802fd52a54389821dac5e0c7f0686a029795b0f0e192e28bd7981ca2e5e5f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
e732b4a662c03778cee4edcf336cb9b5

SHA1
3ffd824bbdba9f710f20e1514d50e9a31e25aefb

SHA256
739506eb7172d9818929a6b5fd8ad07bc10b4025cf979e16b9aa1f4e28a2741c

SHA512
c1758ffca3394ee0788181d6ea6981371129b0236ff7ad3a695d1bd0ebf6ff5eeba43af769fd4344809ba9a135d5b407ca0d6b59ab61648f3b4b24aa76a55ee8

Download Submit
memory/4884-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4884-1956-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download