d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
Size

97KB
MD5

5069a87f9b5d8b208f09f56cf5a1c7fa
SHA1

85431e2edb1f12b5a4f469f0b67fd9c51c67a986
SHA256

d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a
SHA512

116733318e87fec2143dada050ef2785acc25c86da0f9b39cce12934f4feb9edea1a4fd355a59303420b20e3ed916e22af70ad54d4c65617ceb5e0b72351ac7d
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxtjm8sD:fnyiQSoojmHD

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5008) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2932-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002346c-2.dat	upx
behavioral2/files/0x000f000000022902-7.dat	upx
behavioral2/memory/2932-1846-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe

C:\Users\Admin\AppData\Local\Temp\d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe
"C:\Users\Admin\AppData\Local\Temp\d72984baaaf19130414465ac946268e4fa4123c98085bf1c1e4110ef075a431a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
97KB

MD5
b015c6abfd5fe3f6a223b3ac60d1b72a

SHA1
91e68417c65bdbe83a1507f5000a9781d3c81a91

SHA256
281f57d44f054af711f0f6218aefaf0cc4994497cd6e515fb8abbc2388e6c9d1

SHA512
e7e9e8afd57dcf4b7c51e378525af70c404e732facf79705d4b956d0ae4f8cd0d7475e166eeafe7eca1f0ea6c393a7a51e73818f7d60de13067e92b157dad906

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
196KB

MD5
b5c2e763ebe497b800ae60855daea6c5

SHA1
d5b056d936d930786f2c512675365735601dca81

SHA256
04a8bd8909a80989c92eb64f69659d90d949a2c07352aa608d1e99c693c3dd3c

SHA512
06b37e38aa87337b7122abd491bf01d08173a3550650174b5629787e342e311fdee737bf1ac79b78350511f02ad927c4f8fe7eac1936b551c6057b7d27bc8f24

Download Submit
memory/2932-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2932-1846-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download