1aba43ffbffe2aaa82a4ac7ba964b797731530c767b52d35185c356436432e66

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e958c9f6addd0589bb5175aa3cdf10N.exe
Size

147KB
MD5

78e958c9f6addd0589bb5175aa3cdf10
SHA1

4b446c0ffe961c406a9f9add30dd66f63335a2e2
SHA256

1aba43ffbffe2aaa82a4ac7ba964b797731530c767b52d35185c356436432e66
SHA512

fc4b06c9dc6b0debf4d9fa196c0c5ad40b0c86e72a68dd021ea0f31aeedcf43f486f1a2a2eada4297765bec54ca4a2aa198ff71bd6505beaa3ad2a0fd2109dd0
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZf2XcqvWTWn1++PJHJXA/OsIZfzc3/0:fnyiQSo7Zf2XGQSo7Zf2XS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4239) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/784-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a00000002345f-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/784-1746-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78e958c9f6addd0589bb5175aa3cdf10N.exe

C:\Users\Admin\AppData\Local\Temp\78e958c9f6addd0589bb5175aa3cdf10N.exe
"C:\Users\Admin\AppData\Local\Temp\78e958c9f6addd0589bb5175aa3cdf10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
147KB

MD5
d89348adbbcc52b9c51a1ce6bbb34b0b

SHA1
787fe670a3e861359b5f2ca02104d58c1939bdf0

SHA256
c026fd94ebe4f0ec0cd37e35492240351460965ace97e4d9e29b52c4146ddf3a

SHA512
6da93cb3fdb4e0fbd59ff0a8ac7a387b4f0d5796419e87529c68812108ccd8ff88e3a98cc1cc37c57889809a227d28f68e3fbe51a6f55bff8e965b1755173263

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
246KB

MD5
3c8eafe430701868433268d0d0c39034

SHA1
62b186fae151561c19d3f10f0d6fddb538e6bfa2

SHA256
43cfc8b8a3cce89a048cf20561a93adcb65cd05e1fd5c3a789f933a882c3af85

SHA512
969b2a12a4ba13c19beb962f9cd4100f58d586e210aa1e1d3cfaee845a4939ace61c6c0a645f9e24fe13f3a9a1ae75920c1998a14f3fb36040b96f706865a29b

Download Submit
memory/784-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/784-1746-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download