91d6081bea46f431b15cc8cc736551088990c12e43aeb2e98eb6d1dbd282f550

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
Size

54KB
MD5

6bd65a4a1c85b51ffbeeb8d6d2205020
SHA1

407acda44e92fb8e913cefd1d1e27236174725e8
SHA256

91d6081bea46f431b15cc8cc736551088990c12e43aeb2e98eb6d1dbd282f550
SHA512

382ef4e7f5851a11721a937f90a7f86092cd4df4d1fbfa2ebe1228e777f2ee5fdd3a9c50fae927f4f025716ffad70da05424fc62f1ae9b03712462251d666c9f
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyIHAJvHAJLMFp:V7Zf/FAxTWoJJZENTNy3p

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023490-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/4004-1962-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\desktop.ini.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd65a4a1c85b51ffbeeb8d6d2205020N.exe

C:\Users\Admin\AppData\Local\Temp\6bd65a4a1c85b51ffbeeb8d6d2205020N.exe
"C:\Users\Admin\AppData\Local\Temp\6bd65a4a1c85b51ffbeeb8d6d2205020N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
54KB

MD5
2e45403a8a40a92d98ffe928af7d7281

SHA1
1af7be01ddc582af7b64548a0a202cb8c997f8f7

SHA256
7e79c3d6513d37adf68ad6c4aaaf217109e620f5a0a590a7546c269491cbc9b4

SHA512
f5386f70474a9a2fd0b4cbd83c5f21812d8a95a19f90c7e0cf3214690073d3f70b9890933f1c3eb39e266f4cdf33d6eb287a1372ba123ac662696d46952c88cd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
6ce5711cd3af1e99282f653f4a1def80

SHA1
2ae62e92b8c0a75cfdca23155030e0848777d77e

SHA256
7000e625c70899500c135993d75f0a798e9268e2949dce5bdec0ae284e3c8f51

SHA512
8a21b21019d74d22bc42996d6c0c65d7c78d8230ea58e369aac09b76bbe8838c42023ad9ed0d9a7ad8b19d015decf31be1756f90e5e395dc857ddc4257c870ed

Download Submit
memory/4004-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4004-1962-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download