1dccdda159c0652f4e26703e8ed4edd376bc39b9fa5283f2b3394dcd6d16ba48

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b76a57e1778626b3e13eef62892a670N.exe
Size

21KB
MD5

6b76a57e1778626b3e13eef62892a670
SHA1

ba85be1c8f134597f95d737678f9e6a86611352c
SHA256

1dccdda159c0652f4e26703e8ed4edd376bc39b9fa5283f2b3394dcd6d16ba48
SHA512

1a4c728bed750ff175cf0bd7f2e98ad3c6b5523c3351a141f7038a5a0ffd4a16d7c035d76cededa8323f5542e076a7968a29aee0919865d492df6dd9a5768f45
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcbQbf1Oti1JGBQOOiQJhAT17IU5c5r:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJV

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3108-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023451-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/3108-1206-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b76a57e1778626b3e13eef62892a670N.exe

C:\Users\Admin\AppData\Local\Temp\6b76a57e1778626b3e13eef62892a670N.exe
"C:\Users\Admin\AppData\Local\Temp\6b76a57e1778626b3e13eef62892a670N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
21KB

MD5
ea437b0210501b3625c0e532eb8da7d3

SHA1
be9c66e0e1aa75caa9ac9c2b477ac6e2dfddd711

SHA256
34fc0f7e0d419bf82b3044e00eb838fa94e05ad49970bf96e7fa7e81d6eb8d10

SHA512
6f7b45667847cade9d97c1e0b9aceb295de22f8e063ff512629efb37aecbaef45843c79c2701135fbbaf3e4a75be1161e259678fb0318eb8dfd91ffb72a1afd3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
120KB

MD5
4c70b44dc7ddb9f185d8d8e3e9e1c442

SHA1
4edcc3ca287de429642e819e9707ed0a78e036d4

SHA256
70b301035dc26f91a800ca164ef6a04e447d5897280ed7a2e87e597554e82dad

SHA512
8da14d43976e1aa583f972c6ae5087eacd26e7b3dc246ab0a3caae007acfe5d768809296200d0d0acd67282296b7b006add68153472bf0baa885716d33208a00

Download Submit
memory/3108-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3108-1206-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download