36c4266ac80e7419639eac03ce857274f9b7a01c7dde15b51147d5e3f57a95e6

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b78a93795c5a40190b335c6e5b17740N.exe
Size

22KB
MD5

8b78a93795c5a40190b335c6e5b17740
SHA1

1d6719ae2d49bc769dd62083eea59bb63df007b3
SHA256

36c4266ac80e7419639eac03ce857274f9b7a01c7dde15b51147d5e3f57a95e6
SHA512

78b349e29da085e0e1fdfc63ed666b495da9a8af87853686e6a9a7622b1b035f38efdf1992e688f1b6d7f432c7eed148150f3957a6b57d02e828bb0d5f385c70
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcbQbf1Oti1JGBQOOiQJhAT17emDLD0Wd:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJe

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4697) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4744-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233e5-2.dat	upx
behavioral2/files/0x0014000000022907-6.dat	upx
behavioral2/memory/4744-1224-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\nb.pak.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	8b78a93795c5a40190b335c6e5b17740N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	8b78a93795c5a40190b335c6e5b17740N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b78a93795c5a40190b335c6e5b17740N.exe

C:\Users\Admin\AppData\Local\Temp\8b78a93795c5a40190b335c6e5b17740N.exe
"C:\Users\Admin\AppData\Local\Temp\8b78a93795c5a40190b335c6e5b17740N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2951562807-3718269429-4208157415-1000\desktop.ini.tmp

Filesize
22KB

MD5
ab22464fb0faff4baf8b18db1c30da05

SHA1
cbd9cd9c7ce7c73cc2f1738bcc3a2adf4aa9c39d

SHA256
01cf90c38008de328a78ae13d6af2b0bd5b5e7c6794252341424b9a2cf45cd64

SHA512
cf03fa8918057805eee25fa4ad2540b95a09a475cf78255afaa897f6a1b0a53687207fa7718209c6e76694b28fdd945f2b484d6eafdbe1e1aeed8a8157f24ef4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
121KB

MD5
315c7b79b152894b4bcbd92df5d4e1f1

SHA1
c31911e3c3eb7c7655ce33b2b8fbeffafc8ea677

SHA256
9801e176114d52c5bb02f0e69f9a41b07ea9139d7971615a63f2ed1dc06f32f8

SHA512
a088862c779e303e6ecc8b343ba956fe4b13bcbd046e7a63a09395195d08a3da474bbbe36df4e25b7868d3b9c4f297cb68ca039917db8f37003a21fb8101c137

Download Submit
memory/4744-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4744-1224-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download