b0efc87067600d27cf344fdb43e3ac6355f79d6aa11543564b0723b47960e0de

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c1198678f12bbd796914743ae017e20N.exe
Size

54KB
MD5

8c1198678f12bbd796914743ae017e20
SHA1

fcef4d216594e777e14b743195e17b591bddba74
SHA256

b0efc87067600d27cf344fdb43e3ac6355f79d6aa11543564b0723b47960e0de
SHA512

ba410e7164cf65d6dd8ae76b99193b24c15c2b38439df1f3aa32e432ea0afd232a057289468bb7bafa1069ffabf4269d568cec3b1b2c7e63256be3e20965f3e6
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIO:CTWn1++PJHJXA/OsIZfzc3/Q8IZTY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233f2-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/1284-1128-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	8c1198678f12bbd796914743ae017e20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c1198678f12bbd796914743ae017e20N.exe

C:\Users\Admin\AppData\Local\Temp\8c1198678f12bbd796914743ae017e20N.exe
"C:\Users\Admin\AppData\Local\Temp\8c1198678f12bbd796914743ae017e20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
55KB

MD5
e1c75f989b0fc3bd9ca418dfe1b868b5

SHA1
b29b1eeacdc570a3a9ee0c6fc13d146d1bf0aab8

SHA256
49bc6c7e11232ea19af5b6eb7362d9c8de75070f22dc8a5a7d1d82235c8dfaf6

SHA512
45930e1e588cd499b6c5016acbb23628345a11b58ca4439a26e58bfce0b261826a4bfcba900dc3914d462bb444bc20bce92b1417065f4b976b7d20a1f58f62f3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
61e77dfb1e9defb3c9ca0d6e8134886e

SHA1
11dd0b6cd2e432ae7d127179a1beac6db176d2bd

SHA256
bc2a4ca39fc5c9dea7bf5e4d7bef15afc7c2a1686e99dd882b1d116ac5ef472e

SHA512
0d0f8111d0542627366e3e035c118c21845a7d8c159db85bbbc2709f0b100a2f3d1b4001202eecc2f73aed2e45268e38968e7bc49e4788188756dd2801fe22ae

Download Submit
memory/1284-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-1128-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download