bc9b420c553e244222f72596fa19c9e65c5055304288c07ab900862c38a238fb

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99df5398e3a96d12ac2532018977d430N.exe
Size

44KB
MD5

99df5398e3a96d12ac2532018977d430
SHA1

dbd0ad229d8f394276637208d067006bb914cd4d
SHA256

bc9b420c553e244222f72596fa19c9e65c5055304288c07ab900862c38a238fb
SHA512

57c86cfdccf63fed679eddbe6e97de595434a00584873d669550cf1f91adfba98cc5a663591130ee0536dfb59c6b3bfef236794dfb90b3f2dffeb5c60b8f4797
SSDEEP

384:FBt7Br5xjL2Kd5AsAoh6n5eaOlIBXDaU7CPKK0TIh6SjeYDTcYDTkZW8b8T:V7Blpf/FAK65euBT37CPKK0SjeQT

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4628) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3656-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000300000001e62f-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/3656-878-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\InitializeNew.mpg.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	99df5398e3a96d12ac2532018977d430N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99df5398e3a96d12ac2532018977d430N.exe

C:\Users\Admin\AppData\Local\Temp\99df5398e3a96d12ac2532018977d430N.exe
"C:\Users\Admin\AppData\Local\Temp\99df5398e3a96d12ac2532018977d430N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
44KB

MD5
a08ff8a3583a966c60c4ffa91de15f0f

SHA1
8486d2c1595b75dba2e88c34513f21abb1f8d75d

SHA256
b7405a9fdf680e5ce16615bdce9d84a108c51fc048ea4307e6ea2f04f6050591

SHA512
51e572d65a6c7804ff11355be2c2d75b279cf946e748861587132df9fb602b0c5c80a9413e7a757ba7cc89c2036459627b814fc12564a29ff37c68e29f2b1ee4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
bc4a4f409e5a40ca377e0395671d83fa

SHA1
d4cfd3f029e62aef03b47f162eb27f0007cf67ce

SHA256
ed89ed5d109f8dbfe914b967dfef78bfa29129e7a9201fb96435e80f9b6bb43e

SHA512
a48dd4ae5ff4d549e676b735d70fbf117070293ee5d66e94609a835045c374c41277910702e22a5ad021e6882832c6971962d0c19580962348dca20a56c99826

Download Submit
memory/3656-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3656-878-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download