575ea6ac6dab3074b6015ba8a2fac9eaea523fd1f5cf9e64232cde9dc3323fdb

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf62cb5c6c5359786dc639abfc32a9c0N.exe
Size

75KB
MD5

bf62cb5c6c5359786dc639abfc32a9c0
SHA1

83f6c6a8d3a4562ceeaf0e50cfcc4da050ec5ef8
SHA256

575ea6ac6dab3074b6015ba8a2fac9eaea523fd1f5cf9e64232cde9dc3323fdb
SHA512

0c0754cf7f76060f05ebe3eefeb1346a976c8cc019ffa9fe2c9b8d6dea0f30e8fe77f1d3cd16050bf87d774797b9e7ae480f7c459972a00871f750eb6c90e08f
SSDEEP

1536:V7Zf/FAxTWoJJZENTBb7dsXDZklYGCYusule9v:fny1tED7dsXDZklYGCYusulq

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/2488-1948-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf62cb5c6c5359786dc639abfc32a9c0N.exe

C:\Users\Admin\AppData\Local\Temp\bf62cb5c6c5359786dc639abfc32a9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\bf62cb5c6c5359786dc639abfc32a9c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
76KB

MD5
70910469540635073b556900ee50b95b

SHA1
33379fff15d2fe0cc7b0ff0e80711c86f83caafe

SHA256
efff2d8568dba81cbb5853e0847f9759496018fe4ce9f99ec6239e5c64702f02

SHA512
18f31deb2f8b802487fdaf48b91de94cf51e2a08cfff796d795d2f714d25d9137a1123ccd4d9ec0b7209a043cbbac3b03673fd2898615af19c85539991f1bbff

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
174KB

MD5
53036e2595051a2972710420558f0a36

SHA1
621773e2264ad7446a342ebb9049adf6d24362e8

SHA256
23c3384b16f7f78bfc573723d5466b9feaffe10ec04c6b2f8c9cd9d2a40d0ba7

SHA512
fd36c85bd022bb5e5749c7cef27be9d9886b8e6755c3734d52b8878c2c6700ac569db51db6cfdff813e10a57ebd95d7dab0d3022a870f6c7e289b4333933ed13

Download Submit
memory/2488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2488-1948-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download