371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 21:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
Size

24KB
MD5

5417d0865102f7126a2d8d0d967b181c
SHA1

adb4136693dc4bd039008a1bdb02c74af7714923
SHA256

371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce
SHA512

a130d4c75dbe8b33abac14ec19d2343d1e5f443a957d0829f4b66ba17e6bc25d3163e08699931564b8bfef52ee84fd21a08694a8c68fd92d1cb12567f88749a5
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+93:kBT37CPKKdJJ1EXBwzEXBwdcMcI93

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5293) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023458-2.dat	upx
behavioral2/files/0x00090000000234a4-6.dat	upx
behavioral2/memory/2624-889-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe

C:\Users\Admin\AppData\Local\Temp\371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe
"C:\Users\Admin\AppData\Local\Temp\371dfb271ae8df0d7fd6fa2cd22686ceccea83323eb39cfaa5554a5392df75ce.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
24KB

MD5
0c39ad175fdefa59416dd76d633fcf95

SHA1
0cbfbcb5dd07c1f1e10c32d1effdabcda79a0f26

SHA256
1053951039e130b120e6a0f9df09b6b9f1f779084fe8c72c6608010d819bec2f

SHA512
8c617c751a9d00c921def70b04ad213feb68c1278ff0ceeaea32332a3f9a943b5213fda6d4b6aee6659c9026d9e376456fc47ca43890e6fe70188d01050d4a3c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
123KB

MD5
3c824df3ab9245e8ef2c2ff9a90b48af

SHA1
9bc732121b1c7612e864d0401503b5a753cdfb75

SHA256
db0e0d881bcabf7c9f282b92212571f1d61fdcb45e6e72db4c699415e9e0bf90

SHA512
0bcfd5cc2b4a7d1d5b55044da0bf11a56d682eca908e07e3032f450a03b346377b0ee57206aadc44091c79ec9c4df81e516ec66cab2b3bfa1f04c6d633eccd8d

Download Submit
memory/2624-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2624-889-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download