2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
Size

69KB
MD5

fcbe7af10aedcb13128c4af409f81500
SHA1

2d04287117beb635bbda5847c4a926e19e9772e6
SHA256

2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5
SHA512

a64cc22604131271cb66d82484890a12231acabc2ef095caf80ce069628bf1b4e2e5ca6f517cfb8e6a7d673b436fda5fe2d33d577e3183581adba5976e2c5ddf
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fC0:enaypQSoskX

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5054) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3356-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002339d-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3356-1912-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe

C:\Users\Admin\AppData\Local\Temp\2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe
"C:\Users\Admin\AppData\Local\Temp\2882b1bd63a032771b739415a7da464762cecfa5e5b6a909a64727af76f7bfb5.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
69KB

MD5
fce85a44ab297a697e414f24bd7f998d

SHA1
75c62788bc6495d1ce6bf91c2d2d5bfb8d139ead

SHA256
0a42584fc278bf3b083616a204c95b3992ed315a186986e83095f842c3c88508

SHA512
8f921b93c2260a22bfe2273e5de86e64da70d0efe2ae300a245b84196d66860e882dcb51aea3e7788d081b0edb993ce7e7964ef80033ce90f70218d42389fb27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
5a6beee998d506484c84dc071670adeb

SHA1
496556e669cf88e4a201fd2edb1b9e98e2c7d8e5

SHA256
1cc908d35f5d1e27f89b7f6ee50add9dda205304ceaeae1d200f2c91d1097566

SHA512
1d706801a3ecb5447f52820148da74288c199f518b265320602519ff62285a497956273d99298c227db18c385d70334448db77d539b3dcac503ca0c109afbe68

Download Submit
memory/3356-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3356-1912-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download