0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
Size

28KB
MD5

937d7cf40d42230e78c07baf8a84b0ee
SHA1

3d72f9b3f0582f744d6fb74aff28aa0bf1b97a33
SHA256

0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac
SHA512

f1b37d6b197aa33c9ffc8fce4a98d6dcdd1b782e92840d97bbe5fdb399befba618511e36f426fb58ccb6aca5cdd04ceacf6ea73e804119c4c05f5e8c0d868fb4
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9NNgNR:CTW7JJ7TzNgNR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5296) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1512-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-2.dat	upx
behavioral2/files/0x0008000000023439-6.dat	upx
behavioral2/memory/1512-1222-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FREESCPT.TTF.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe

C:\Users\Admin\AppData\Local\Temp\0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
"C:\Users\Admin\AppData\Local\Temp\0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
29KB

MD5
2e851373ec9d1251f986a773dd38c3f5

SHA1
d954f457571f3c69db5ef2e9cc0090d73a0627a1

SHA256
6f8c1dc35890ef00cf1793c0dbaf96e7fd7e75169f49f6fb2c4ad348b09e2cdb

SHA512
cd8b796a272079b71cda1ed53f0a3d61095a991192431226e9c060920d91e88bb0eaae82732b6ebb46800e965138e9ded0e01837d1aa773d84d5686d551f9574

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
128KB

MD5
1d9ad99e5208b6b492f9aacc48ca47a7

SHA1
6bccba33c7a86d3384b017f97d06921212c7257f

SHA256
3326a00c6fee991999593a37227d5cf01a15cb85bfdc5d0e6243d2e5733319ce

SHA512
16300bcc1fe17201ee5ff722f6e49a3cf9295f9273968b97d146398c08ed5be6889186df6abcfe616b52b9621bdfbb1502e2b0587f2831a15e571721726ed73c

Download Submit
memory/1512-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1512-1222-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download