ba274ea2de487b6b360bdc45a944b356a6813d5473a7a9926937e4d0f6ef0947

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 01:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a4119fd592e69c86c8e4f08a7e6e870N.exe
Size

72KB
MD5

6a4119fd592e69c86c8e4f08a7e6e870
SHA1

fb42be3f1464654c845dd9aa3173da476d3ccc29
SHA256

ba274ea2de487b6b360bdc45a944b356a6813d5473a7a9926937e4d0f6ef0947
SHA512

5dbd6a0d6a0956fe69923549805b036f62d120c902c5d3b133c71513c2be5e473c782477122fd6ee3f7cbf8c120123e02ad532a42566afd9a544690d2b72e7b1
SSDEEP

768:a7BlpyqaFAK65eCv+cIA0fm7Nm0CAbLg++PJHJzIWD4adZdhAIuZAIuniXKqAJxg:a7ZyqaFAlsr1++PJHJXFAIuZAIue

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4605) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4172-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023342-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4172-1894-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	6a4119fd592e69c86c8e4f08a7e6e870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a4119fd592e69c86c8e4f08a7e6e870N.exe

C:\Users\Admin\AppData\Local\Temp\6a4119fd592e69c86c8e4f08a7e6e870N.exe
"C:\Users\Admin\AppData\Local\Temp\6a4119fd592e69c86c8e4f08a7e6e870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
72KB

MD5
3e9cfd1f3bff06b8c203ee50ad5a9948

SHA1
e6de94cdb06a2e988e26a4d42aa84797d4caa604

SHA256
009f822c67d4c8346aa84aecd023a77af97727acc581076afc189a94aacce75e

SHA512
acf9bda2cbaeb5ffd0e69d769a2229cda4722348dc2dcd92d8d795d4be05b05f98c22c41bc8216d19a7bcc695c66fe8b51e86c322fb7c0aeb040449e03a42fd6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
ab9d97ddfd7f1a1726b0039eceb5be71

SHA1
f9eef2351c6d6aba903110ccb9ad3587121906cc

SHA256
5ff6920db3887faa32c04b398ec2d1b13d0de4f697f23bede38bd31ce1e369b2

SHA512
4ab8f4aa43489a4856c92e7fcb83ae13c479c4b3949e78f023181b64658c5715e66cb477dbdc39bbab34f9c90d58d9a66f27558e699c89bd16c8283be8218db9

Download Submit
memory/4172-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4172-1894-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download