b9931a6cc49128e9bfae127e4ae036290d3bb8b3058ffd72e8e6118ed9372c49

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a832f5bc51040079adaaffa34009aae0N.exe
Size

69KB
MD5

a832f5bc51040079adaaffa34009aae0
SHA1

7a63ac94a5f1d994a6b50b420d296a89cdc2471b
SHA256

b9931a6cc49128e9bfae127e4ae036290d3bb8b3058ffd72e8e6118ed9372c49
SHA512

17c9678d9a8ee4d709f8af91a21233b4b10ec64843b68acc7f82eed7a2daae190836179871a6ee1e2a40cb9f804da08112b1f3c6e22feb3d283364c0fde98864
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fC3:enaypQSoskE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1564-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234ac-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/1564-1898-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	a832f5bc51040079adaaffa34009aae0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a832f5bc51040079adaaffa34009aae0N.exe

C:\Users\Admin\AppData\Local\Temp\a832f5bc51040079adaaffa34009aae0N.exe
"C:\Users\Admin\AppData\Local\Temp\a832f5bc51040079adaaffa34009aae0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
69KB

MD5
76448386aa3518d5409530aa8994c66c

SHA1
aa95d15716c0746747c2263abe37ed2a6c9d9651

SHA256
ba35cfcff045a8d5a0af365143aa0b3d2e47d94d77fc79ed8893b8ad61546659

SHA512
ed0ffc4fe479c943566a3d23904e4bfff85c67a7930c90e7c16b2c326e7d2516e4b99f7e7f57f463b58c2f8296691aa6aefe5b580936860759550a58d815a1e7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
7cfd7e6bf12e9425144f032644bf6747

SHA1
35ece49131efe77f9cb69d4841b670f2d1bb0b84

SHA256
434c4cb05991cf50ba708e5039f19a9e664c240f0cc4726956c85259e4d6f980

SHA512
e29a0176932556bf2f9476ffd46bc2058e0df9fc04203a84427f56e3a6a82f7987243baf00de2e80d91da6f00070537769f76879d0e5ca4b538a2d6ae6892cf4

Download Submit
memory/1564-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1564-1898-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download