9f1dfc70328484ae7c5cd7dc05378480545e0d0758dd6ce8e1c8ddfd65809815

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c14860a2d97730336c390e1b6d20820N.exe
Size

142KB
MD5

7c14860a2d97730336c390e1b6d20820
SHA1

e7bf954fe61fbc9c7184d94f633ef56aeddc817e
SHA256

9f1dfc70328484ae7c5cd7dc05378480545e0d0758dd6ce8e1c8ddfd65809815
SHA512

425a82215b54903ce9a003bd2f3234604ecd1a616f6449c11a9acfc955a1e4429de6db757a80e0446ce58af5b0cfc2bbfe6e07976548b1893a04f4537258fe37
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8NCuXYRY5I2ISTWn1++PJHJXA/OsIZfz0:fnyiQSoDuXuv36QSoDuXuv3cimiC

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2588-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023457-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/2588-1740-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	7c14860a2d97730336c390e1b6d20820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	7c14860a2d97730336c390e1b6d20820N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c14860a2d97730336c390e1b6d20820N.exe

C:\Users\Admin\AppData\Local\Temp\7c14860a2d97730336c390e1b6d20820N.exe
"C:\Users\Admin\AppData\Local\Temp\7c14860a2d97730336c390e1b6d20820N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
142KB

MD5
79a10a62d1f94be2eb63bb0bf82a325d

SHA1
53e2221bae72c12ffc44c0eef795acf69d8ecf1c

SHA256
6fb89ef7e2475deb45a360a71fb087e18e4b5be7b334908399f34161d8a2a6de

SHA512
4bcd92e0ac716ea6d0f3c26fde1a94dba0956fe5f17a6d875462efaebb4f890cee42696ec1838cdf3d5c85a21d470f13d26668acce04b88dfe6e4f5496750aed

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
241KB

MD5
2d305a4a1f7dc70b1eb156024a1f9e01

SHA1
abb0fc9027927b601bcd53ac7082004b63c537be

SHA256
6d12ad9eea1907b6e81ab3086bade3a379361c67c01f8796012265b336d22c93

SHA512
e15c3346062aafc2288c562951a9d869fd5b9f8130d8269fbb619c8ec65af0eb92b36e3a5cbb05c0054220233e36c18c3e1d4c90785422506719d228f87cc671

Download Submit
memory/2588-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2588-1740-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download