924c25fe0ec3caefc0be31dbd3b86daafab4eae920d1eeb775eb63ad02a71d5d

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd1493e98edc4522e8f38534f807ffa0N.exe
Size

149KB
MD5

dd1493e98edc4522e8f38534f807ffa0
SHA1

067c6767fe175a2a39d5ed108a877731c565d18d
SHA256

924c25fe0ec3caefc0be31dbd3b86daafab4eae920d1eeb775eb63ad02a71d5d
SHA512

3e9228dce01a2b5c5ee51d74c5e15d5d58f3aa65cca0b4cd0aad849406cd1a6996f8a607106e9ec2ca9275ff0c07b4edc4ac1a89e9539ecb2e2f3cc05a3e3ed3
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8NCuXYRY5I2ISTWn1++PJHJXA/OsIZfzF:fnyiQSoDuXuv36QSoDuXuv3cimi/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4230) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2252-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023419-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/2252-1780-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	dd1493e98edc4522e8f38534f807ffa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd1493e98edc4522e8f38534f807ffa0N.exe

C:\Users\Admin\AppData\Local\Temp\dd1493e98edc4522e8f38534f807ffa0N.exe
"C:\Users\Admin\AppData\Local\Temp\dd1493e98edc4522e8f38534f807ffa0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
149KB

MD5
da94e7f5da0cf1b0d08d7cb33db2dd75

SHA1
4779fca8db53110aaa19462a2f8fcb09c9447df9

SHA256
0b159c81484036636ed7736806ed248e021fea3c853b1fab663b32cf57c2bc92

SHA512
5b43e38c4524367fdeeff227fb177158fcb246560305ed66a6a445ec8b4b9aa79441f13c135a4932e8e82ccf9ade483ac87e283c5a13d16eb859e2f1b1577e99

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
248KB

MD5
be68b45ac03274bd0efdb9be1dc89870

SHA1
24fa457123354a4c54e84b3bd3fc04464a879e50

SHA256
7800df2a06a873210f87297633eee9ee308ceac4fb32c88c5b2f52ece6e64b51

SHA512
d86015b6be148955bb5bd169a8cac787846bdea975ec8d628cd47bea296efca348c888e5c91ed85a93f0d6b6bd26622c82610a2764e6938fb806efee525c21b5

Download Submit
memory/2252-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2252-1780-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download