347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
Size

69KB
MD5

a8d8a21a91fecde2e6a2841d869f2d06
SHA1

f8b929262294cd85c1fa6813ccb31a4c132fe379
SHA256

347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861
SHA512

cd3981d6bc381c51e12b271140478c1fc60d8fae0c4b91c7c30ae6ac8fc98b285b27410c20346e62268dd9ac1bec4f29afc43b01e326b402eb27057e635852ec
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fCI:enaypQSoskz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5077) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023423-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/2172-1900-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe

C:\Users\Admin\AppData\Local\Temp\347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe
"C:\Users\Admin\AppData\Local\Temp\347e5a5953aab8e8af57f721dccd23760db18988efb2c2b04ab1b94a0d178861.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
69KB

MD5
cf9c18988407eee9df59b411cc246348

SHA1
eadf315df6e4152e953417f8fb4379df664aff2e

SHA256
a1c1593761e09400dddc531ee81dd11f45c9c26b0863b413a0b82ef319b4b5a0

SHA512
c8187c9c4768d923373e7f03c1825c803676e6ce78d39f4c038dc73eed60ef07b4041de4782f0686b7bf149854c4a8d91284ad825ae0b5a423a14c39ff9d562f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
f767f39170bc2ed3734780412af2081d

SHA1
7144f7c3fa64d4205fb80e0d64ca07418c4bc0bf

SHA256
0dc3cd41b0449b23b095c7b107a02789f5b71ebf63283a3184ca26f428e9cf98

SHA512
ab55d25a3580d2d58192b1ffdc8290e832ab2e2f1a21732d7a5575d25da5e04c60896e7b561b8d9769cd2ff9856a32186b5366b9e6dfacf797f3f77bff6d4612

Download Submit
memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-1900-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download