f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
Size

69KB
MD5

c265caa3e7c712a0b9ec5e2c84b7343a
SHA1

9632cb36de06eb8cb48ec23702af9b4ea6524ff0
SHA256

f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416
SHA512

56141ab40af6ef53a17d441a861607e0d886f89a5597eca08e381ffe88626ff74f39c41283ec4e3bf38afc4361bc204ae56a8029ffd9cbe4884bb30a962f1dad
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fCR:enaypQSoskm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1452-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023460-2.dat	upx
behavioral2/files/0x00040000000228f4-7.dat	upx
behavioral2/memory/1452-1856-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPRESOURCES.DLL.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe

C:\Users\Admin\AppData\Local\Temp\f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
"C:\Users\Admin\AppData\Local\Temp\f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
69KB

MD5
6da97cb52186107e725e00e020065a50

SHA1
b647b4524a61d4027301b88414f85f4f59cf75b5

SHA256
c0657f733145362fe685b925fc8ba614280efe5b0f0c521f2682bb910cf8c72c

SHA512
aa2b5e6ed36d0dd68bdabf04382a08c058144d0e94854763d760ee6c37a245f8f2c99a7a821765cdeb8a1445b8ef23545e31a041d6ed8db16991fd83a3906120

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
168KB

MD5
8277ea1a0f9351c9ef0f315f683b4905

SHA1
aa07bc6e16456e31bf38a20e07a8298ad161d262

SHA256
5d521c6e8f67ea343ee1a66d2148a80169fffee1fed47e9eb34563cee9e57dde

SHA512
41ecc1f147934cead8d797f1aa968bc52736c2fe47a8bdef117aaabd5449acad72e86ce14fcd4cec2bed4b82a815a95b647b30ee8dbc7ca227adb4ca1d83046c

Download Submit
memory/1452-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1452-1856-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download