336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 20:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
Size

167KB
MD5

81af277dd0ab225b18859c63561a1eb4
SHA1

dd897b513a2be9e61b55f6ed2017883927b9662e
SHA256

336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd
SHA512

16c3b18078c25ce089447cc89cd8f0f802d0dcd45d124256755a96e4654fc9c3aa98c7533ad02dfa7a7b251035599e5bbe3bda4986472fc2b0bfa4f2df795ad6
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZf2XcqvcY2gjsTn7fpXpgmvzOdSrnvz:fnyiQSo7Zf2XkQsTLpXYSrnvOZxk

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4814) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2104-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023468-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/2104-1762-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe

C:\Users\Admin\AppData\Local\Temp\336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe
"C:\Users\Admin\AppData\Local\Temp\336691208535ef3b589f9293714312b0677a5aa38b0e1df80aec7b9e69521abd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
168KB

MD5
8ba5653797decc3ba8e9283a9d6280f5

SHA1
87f024d9c05b928a5eed75e98b201ab3775910b0

SHA256
5b0b5b0240fd048b55d31c6d25952abb09f313ceb78be232b2e0a085cc8acff4

SHA512
1353c81061492a7be923768827e6a1a5b12541a6814ee2aa125df29452fa473e4e8220ae7bda7b6f7aae3242a1ec6bcc06e91929030f25b6ab844754e8de0d42

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
266KB

MD5
f60ff4ec7b836380708f4d7050d57f8a

SHA1
4c17adf76c9b3e44cd7f59e7d6a454913643b073

SHA256
d800b0c783fb460f3f640a5b94ae185c02e67cc8edb3f699ab1d48e9bf3550aa

SHA512
f766a4a5bc0ce64904dd31e51ddd158673c668ce8e660d44eac541c273d9d853584c57f4baedd20f5818fd76817fb75ecd3deeea8621754ff56db7d90a125199

Download Submit
memory/2104-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2104-1762-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download