88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
Size

64KB
MD5

48b52722c6ec12501ae5a7c950a81a93
SHA1

8bf2cf2cf15140f260eee8cdd26ae398cb7389ff
SHA256

88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782
SHA512

cbf91ac360cc3eb190ef580dccc7e13f40d3fa5f7b22bb574986fdbc417e9cfb6e3ed779ac3d549d0043687c0c21e38ac353ff507345b8f49748175ae070c57c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiyqAbJEqU:V7Zf/FAxTWoJJ7TTQoQTF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5126) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233a2-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/2724-1950-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe

C:\Users\Admin\AppData\Local\Temp\88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe
"C:\Users\Admin\AppData\Local\Temp\88c0e6557fa75647a70da088ceb756128970f6e2f465b16dad5b41a84a1e1782.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
64KB

MD5
9898bedca73a4a7011440f5ae429886a

SHA1
60e5fb64272c0aefd13fe24df67b2d5e5b34b4f4

SHA256
c494186109f9aae073ed89f9c84e70702754511b100c6b55a700cf763d51463e

SHA512
c3405cd5a75c3ab2444ad6aee32e061eb4a2341ff768e92e499280b51e6e458a86fbdd301fbaee2b5969025efc34a685728f4225b118d6af6efc75085b9b6860

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
163KB

MD5
52ca61f4f8a8b2fd4c43ac44544e534c

SHA1
a7451b5cee3c85a42dacff864b275d53942883a4

SHA256
6ae4186e8c992021f3fb5e5f0a15ebd019a0449bfc13314fe36cd4124429f586

SHA512
b4cb01379b59a267fd28496334afff44cebc9b0f04fc21c6653926f98d94aa22dbdea8f04c53f14ba041674b903a63d557f96e448edd6dc0f46d2b9f19add5dd

Download Submit
memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-1950-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download