769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
Size

30KB
MD5

fd21349409a48d0438dadf0186537cb3
SHA1

28da9eb146fe77ed708a7cac5af985021858b6ef
SHA256

769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4
SHA512

c831b0e1bc0b6c5aa95eaed0a64b06722641501d98ec7fe3d8573a59391d1e14e54303e2801295ba0ceaa5f4cd1d315b432222b463c7ac687bd7bce1c311887c
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKerwFNn:CTWgDF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5247) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023466-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/4856-1230-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe

C:\Users\Admin\AppData\Local\Temp\769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe
"C:\Users\Admin\AppData\Local\Temp\769abfd4d1b5115a61064e7b3035ca59f9f1537629874c26d758848edc72bee4.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
30KB

MD5
547c6f3f1935a8a1dda872f590695d02

SHA1
a7e15ff83f523885072ca9325e7d2d382cdfccad

SHA256
b5b6658889ee80a9c67eec46830b8d66a0c9db3e1b56cbda0e78c6e6f7392ce6

SHA512
9f385455daa21cbeece513549b394539de3cfa2d8989b7496b90a367bb490336d4b48488db9c7c1fbad3cc5f9a065af7cf74d18221502a3e8f8af58074397c84

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
129KB

MD5
898646c754425af1008eecc5eb66e839

SHA1
b13865648554089cfe0507c2c0f2166634ef16de

SHA256
7b6fe564b28a776416f3220476fb52238056fb9853377da9e9628594e6635b79

SHA512
9a97f54154a3950d6e94c80a0618d2a626e21f6ecd0d4d40d20056dc1f8ee42e5ff00d7bfcf93412a9108b260d9da5d93f3e79f7b52ac9f3a30bdef31e115c3c

Download Submit
memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4856-1230-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download