61e36184cac8b6b798ebc77ee4eebe447d648a87ecd925f2e4c4f7c632a28b2d

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Label_Copy_UPS.exe
Size

88KB
MD5

22ae06e29376b1be53de2a509d734925
SHA1

6d3ba7c802926d9643eac5fca727c4dd92cf6776
SHA256

58a713b8201a97ce6e7fb1f0ede65b3d746de0d4bb370247e11b5a4ad34dfe6b
SHA512

b61b59a45d380576258f5ecde4500502a3cf254c9bfeeaf005fea16ba912b237d2f42cb7d645b6b8c5497e88154e57b1ff24047601d2db163fb3283b31df78ec
SSDEEP

1536:70qCO2BhXCTswe9phgDB8Zk1a5oc0smGsGVI/Xj/x+DtYBLYabbnS5Es/rmty:7T2PC0u1ooc0kwl+DG1xH8El

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2516	2640	Label_Copy_UPS.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Label_Copy_UPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Label_Copy_UPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
852	NOTEPAD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2516	Label_Copy_UPS.exe
2516	Label_Copy_UPS.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2640 wrote to memory of 2516	2640	Label_Copy_UPS.exe	31
PID 2516 wrote to memory of 2368	2516	Label_Copy_UPS.exe	32
PID 2516 wrote to memory of 2368	2516	Label_Copy_UPS.exe	32
PID 2516 wrote to memory of 2368	2516	Label_Copy_UPS.exe	32
PID 2516 wrote to memory of 2368	2516	Label_Copy_UPS.exe	32
PID 2368 wrote to memory of 852	2368	svchost.exe	33
PID 2368 wrote to memory of 852	2368	svchost.exe	33
PID 2368 wrote to memory of 852	2368	svchost.exe	33
PID 2368 wrote to memory of 852	2368	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.exe
"C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.exe
  C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.txt
      4⤵
      System Location Discovery: System Language Discovery
      Opens file in notepad (likely ransom note)
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Label_Copy_UPS.txt

Filesize
5B

MD5
43fb2705d9766ea761f934981936503f

SHA1
c9589c81355baab345cd121a76dcd743d65e131c

SHA256
766a90366e6cac315d05afc9c97dcd6206a7f66da260dd41d209bb6ad13947e0

SHA512
ebf82587e4a8dad580b0c6c6959c73315c584cea82c41c073aab41854a44027fbc63d3f360651e726bfe71bc9e99a1b803574715e63d462f90182291ce3dfbf4

Download Submit
memory/2368-17-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/2368-16-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/2516-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2640-0-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/2640-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download