d18453c10bf3c7116375d1fe26bf460e7d3b00660630d0f61a9fdb857e5637b5

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8e2a1ea79ba1693f935bd55903e010N.exe
Size

156KB
MD5

ad8e2a1ea79ba1693f935bd55903e010
SHA1

9b3ded06a76147ea742ed3ba5466422235c1022d
SHA256

d18453c10bf3c7116375d1fe26bf460e7d3b00660630d0f61a9fdb857e5637b5
SHA512

edd3d1acc2824c636dfe39f63d7e1de861bf866ddd297a413687a1477014b65112c8f5d5cfbe211d599cbc86bcb447464aaef8538408e7a8caa65030ad1f0502
SSDEEP

3072:fny1IKX5vcM3ZpCbYjBQqOPzrjz/Lwn5NWRDv/f6ETy7oY8:KjAsjSlTwn5ODVy7oY8

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1432-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023420-2.dat	upx
behavioral2/files/0x000f000000022902-6.dat	upx
behavioral2/memory/1432-798-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8e2a1ea79ba1693f935bd55903e010N.exe

C:\Users\Admin\AppData\Local\Temp\ad8e2a1ea79ba1693f935bd55903e010N.exe
"C:\Users\Admin\AppData\Local\Temp\ad8e2a1ea79ba1693f935bd55903e010N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
156KB

MD5
2c0d112632b6bd3ff26a59b250549de0

SHA1
63b6960c5355966983f78e78f8ed96ec6b895895

SHA256
9b8048ff78cebe1ba46741924e0c8e97c074e45be8fa29e814a2ee0e688b8f11

SHA512
c1ef615e9f1c1d6cb192c5184eab2fa5b94bfc66da19113f5d061a1d81b20ccc36c63a41df93cfdc3b968443decfe8a8753a9ab98a9d205b42363add19730fc7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
255KB

MD5
bc18f6277036fdd5f97050c4d52e7c42

SHA1
c5018f1b010dc368db933b7075779fe4e5507681

SHA256
e6a90bf6ad55d13a7b51300861a2ca55aee3972ebfe137c409a0c60177e988d8

SHA512
1c829fab26172d18dc7d13b3af7dee33e8117497b0769520d316868c15c6b6c15db2ac118260834d184978f150b409dd37ee1dc8d8a7408c0e7b5eda6ace2f5a

Download Submit
memory/1432-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1432-798-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download