5ef44ad16f8ae1cca73f894f44f9b72cc8f3e34194729e624b92053c16c75816

Analysis

max time kernel
119s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c57486202705c4f488b58ffdf30f9640N.exe
Size

33KB
MD5

c57486202705c4f488b58ffdf30f9640
SHA1

70d5346da68d97a150263c09a28f8b7bb6e85c51
SHA256

5ef44ad16f8ae1cca73f894f44f9b72cc8f3e34194729e624b92053c16c75816
SHA512

df9f25209b2f6c64aede8dd030268a500daa2bb5a8df9c795734aa838b7c6d60e29e3db03a4f77b93e41fa14eb66cffdff512c56eba69b6d91c183c9ae94127b
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti2b3:CTW7JJ7TTQoQ2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4168-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023437-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/4168-1220-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	c57486202705c4f488b58ffdf30f9640N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c57486202705c4f488b58ffdf30f9640N.exe

C:\Users\Admin\AppData\Local\Temp\c57486202705c4f488b58ffdf30f9640N.exe
"C:\Users\Admin\AppData\Local\Temp\c57486202705c4f488b58ffdf30f9640N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
34KB

MD5
8ba65f1f433998bc961f75c139d980b3

SHA1
a0cc863c3194318db9e34c409f89ca254eecf6ed

SHA256
a441d75f1b975996f1c9f899c10736d9c95e695d1c15858aa6158e8c8d4e3397

SHA512
ea5b6ef861933bafa262f0aefec1395c391d9fa23c7493151561feb4f24d7f46c48ebb0ff5e5955a0de27a67fba6dfa677ec41724d95019db9e24b580d8f2b17

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
838cacbc373e48d7abdc33b539aee818

SHA1
fe664a64c7541ac6d3155998f75c9c464ba15132

SHA256
c39202d68ebdb752809ac571141981f0a64666283f84691769da9acc9c95ee02

SHA512
732e1ea920420c68ee901e87e7e110018303f31b6f88e6b147bbc50ad2413840ea641ad78e3c64a5ce1dfdb93f2a8f278fcc26d8d795ac38554e3d2dd7a65dea

Download Submit
memory/4168-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4168-1220-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download