277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
Size

62KB
MD5

81c69b5c0bd219907b3bd58cec35bb1f
SHA1

f13fd493f74aa3b488dae7bcf662eb30f67c6cd2
SHA256

277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0
SHA512

a7891edc4885360a1c996cf003545b7876d5a7ff1a7113aecb3695b113fb6dc0dd8e3494c0e94cac595c839a6944585fa29dfdc5cd4f237fc0c0ece739387ada
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rl:V7Zf/FAxTWtnMdyGdyr

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b000000023416-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/4312-1958-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe

C:\Users\Admin\AppData\Local\Temp\277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe
"C:\Users\Admin\AppData\Local\Temp\277e752f255d480c59445dccd8616037efc75ddd4a1f79091f70c805df393bb0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
62KB

MD5
49757c8d88035ba860c93e91728d05e7

SHA1
ba952d97fb4abf47967881b7b344b0a75cb185ce

SHA256
1fae68bda9c083ec3db97bc77f7bfcf2b57fa473c06d78ca4f7ba66e817bc65c

SHA512
c7b86860e9db08c7aff6f377cd7c62876be24e5f1a08f31d6cb3460da740490130af6b5452f43c1f0f1168aa50a2327871fa521268739088e36cc0a8c7f7c1f7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
83b44be82a19a282a452b400584f59d4

SHA1
681ea5316fa1ad2090aa435a6a508db2334f7047

SHA256
76648775b925b30be3b2b76276a3432f0bb4f50bb7de38d4a9b2b4e884144277

SHA512
98febf64676e1f2c3262d4f9d7c42291bc9de784407a27d47df52673a7648712aa628debd7c9a572e4fcff9c3872c374be2d457ed73486cdcdd32d559fdad37b

Download Submit
memory/4312-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4312-1958-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download