941142fda16bec595e24de35f900dba4282fc8d752850b767fc55b960ca5342c

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4e81331e92b7f1e9ca5b5e63ebab340N.exe
Size

54KB
MD5

a4e81331e92b7f1e9ca5b5e63ebab340
SHA1

ccaa676a847cd3cba80dbccd0dbde2ef4911098a
SHA256

941142fda16bec595e24de35f900dba4282fc8d752850b767fc55b960ca5342c
SHA512

e79eaa8a48788620b22ce60ca9e379aef810d13084044dab619279f37475e5f9fd94ba88eae0efa41c99a3a501d9fe6bb2ae75b00659770f027fc6c4d9498cad
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIB:CTWn1++PJHJXA/OsIZfzc3/Q8IZT7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4683) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3832-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023401-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3832-1220-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\LimitNew.mpg.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	a4e81331e92b7f1e9ca5b5e63ebab340N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4e81331e92b7f1e9ca5b5e63ebab340N.exe

C:\Users\Admin\AppData\Local\Temp\a4e81331e92b7f1e9ca5b5e63ebab340N.exe
"C:\Users\Admin\AppData\Local\Temp\a4e81331e92b7f1e9ca5b5e63ebab340N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
54KB

MD5
3199a85dda1098f11eaae676a39cc1e0

SHA1
6c1d5a76ce421202250038462d183d6d519b95e0

SHA256
2fc348306d09a59a40ae544d76ecde23dd94c2c5e0e18ea1265be4316868844b

SHA512
d5c4927fc30ecc67cac626461f57b94d9df7e77aad98f7408cc5a8f469f2b4224eca213b49e25b9f309c2a382de8997e3010d23ca5a25623dfaf7b33bc9ad1ea

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
d2a3e15ac9b5dac522eeda0294aa7d10

SHA1
05dafd0cd61066631be01cb9ea047d97d73b3d4a

SHA256
10a36266219597b565ea776f7f361298cf2976a6b3f04d2f47f09e22810c2c99

SHA512
0cc0dd98e9044488d894e04cf9123c4b3684552f6482f971200a915eb600d42dcd7fab99e1eb31476db39d93febd7941f4b6b3d3948e9cb8a682ba547b040e2a

Download Submit
memory/3832-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3832-1220-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download