c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
Size

56KB
MD5

5d3fed6aec1e0d083f4ae26fa69a63e5
SHA1

bf1a3a1f45fdc91dd09c2a741bc77bcc008d14ca
SHA256

c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7
SHA512

19bb562404c39b62d120c99bd168418a1ca5bf5a6f9e0b40b73975d608414f0603f323ea4c51b974eae45eb8226a9032f76183becb83a0f9124896748077d4d4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rR:V7Zf/FAxTWgGpGPwL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1548-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b000000023444-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/1548-1776-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe

C:\Users\Admin\AppData\Local\Temp\c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
"C:\Users\Admin\AppData\Local\Temp\c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
57KB

MD5
d67c18e71c2b076850cba2e04936b35c

SHA1
01389592aa1b0c0b780b3815c791181312d4260b

SHA256
96d869179865df31b3d9644653676dee8879d1cd8380a1c84e239ec9f2585b80

SHA512
09cdff2e9d21b379a0d082e835108e6d4d0b55f0b4cbbda6cdb39384110a6b921d4e9370efd640661efc1adc428f9104e12292150371983f05cb19be1005014d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
d98df74100c8ddcc7ac72157d2c05b51

SHA1
34709c015b11ba947b545a3da2d6060b950d50bd

SHA256
cfd136da736fb1d2c6e93989395a78775adb951eced2bf42e6361c1d882dc301

SHA512
dc1e33e7f8ab94b0dfe4e4a3d1e44013c4f4aea61ee9acb7e599829a1505190ef2871eccea0f3872e9d44ada78f058adc62bc60d40bd73fa3838a9936e82aa15

Download Submit
memory/1548-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-1776-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download