d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
Size

46KB
MD5

294b4994fd40208f2be818ad15ca2078
SHA1

d7e9c2aa3abd5d551473db5b758d2184feb1ddf2
SHA256

d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8
SHA512

8642d5a61574da26c0c544d5c2fd3808a5e0286f3330f26d37c7e1058ceef2712c1d0a9a88e75c67a8ef07524cae9c9f2bf273bdde43e3adfe522988f7a60d9c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBxCWi0DZqWOCWV:V7Zf/FAxTWoJJZENTBCV

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5242) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/316-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002343b-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/316-1976-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-environment-l1-1-0.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe

C:\Users\Admin\AppData\Local\Temp\d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe
"C:\Users\Admin\AppData\Local\Temp\d84075eaabf5a47de7f04211168e8c2a66a489ac06cadc3056fe8cdcf8f45ea8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
46KB

MD5
ae97ce691f9ebbead3bf522de2e78502

SHA1
3aefde9bc53e013559d3f7c339ace0e490e01ef6

SHA256
2938c5c10db671765fda51cde0c4531148bad49b5ea6a7275b01e0c73da28aa6

SHA512
9f5710f8a92b8f31ce2578dc49f96ad7e2daa9db0c7b57aa248de7b291b1c4abbf46b141c07e3d8ebcd42594e18ef0f0418c9f40090c69e5396ab710a7d829d4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
0efbc9d60272dd84eeb9e2b2b56402de

SHA1
f19e0f2b6e8c060086494cae7158f4c1c4b4796f

SHA256
e576b748ed07a9e820aa09dd734a72bfaebf8ee1aee2632e40ff702b6b1c1a62

SHA512
8f04113a0dff69a67d0594d037584e41af1ba2ebda875b57e0423b6ec36c9d3f62fa84f7af476b0ba0ce2fc61d4b1044342a795c23545e432ab3f525439b7cab

Download Submit
memory/316-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/316-1976-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download