6cf4ac810a002dabc138e2a8cd6dc374fec3b351830b265bbc812d07a3dbade4

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5e863714e151a2b08fb9294fc36ef0N.exe
Size

93KB
MD5

5f5e863714e151a2b08fb9294fc36ef0
SHA1

a91a6646d4dbccfa6ad3a4250a6de060c2ef1640
SHA256

6cf4ac810a002dabc138e2a8cd6dc374fec3b351830b265bbc812d07a3dbade4
SHA512

505ac8874dfcc2fcdf5720db38a2e74cbbadc06efd28ed9d92f362a3a25450c5a61320957f49163f45db2e48efbf7eb1ae8fbca2560bf0b54bf623700f2e8ae2
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zx0Cq/8S/8dE0WnL/Tn5+Pg:fnyiQSop8i8dJQbTn5+4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4248-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002346b-2.dat	upx
behavioral2/files/0x0014000000022907-6.dat	upx
behavioral2/memory/4248-1878-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	5f5e863714e151a2b08fb9294fc36ef0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f5e863714e151a2b08fb9294fc36ef0N.exe

C:\Users\Admin\AppData\Local\Temp\5f5e863714e151a2b08fb9294fc36ef0N.exe
"C:\Users\Admin\AppData\Local\Temp\5f5e863714e151a2b08fb9294fc36ef0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721909339-1374969515-2476821579-1000\desktop.ini.tmp

Filesize
94KB

MD5
15ed46786271169a28f07cb89fb8bfdc

SHA1
6e7689e8dcfea2f50da6f1a83ca5a8ecc6702891

SHA256
87fad0c209327a130f36e5ae0864c2ba48d7b7e3af911a21d71a6bbf98e4ca66

SHA512
a42efa05c10c3e1675194f619fadfc243b63aa9a71659ef9684421615b0788df185dcd2115533dc7307c2b100ac07ee3bf1c633ded6d0c440d00874415df4718

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
192KB

MD5
2c6aad83f22ee7faccfb0b9d163a96d1

SHA1
e8fa16bdd05bc72f534544a0876dc2f6cb664e43

SHA256
e46522242c460d488b257170851c75ee637d8d9a8af224a3946395c3133dc354

SHA512
6058f457a95dec89e1a1a57588b6786f31d9a70bdf044dabb4abec7e3286d7c50a942e83a57e501f9e28b1f213b550b4c6ba563db9b75f6f193532a08b37aa19

Download Submit
memory/4248-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4248-1878-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download