df10603abcd5be87ed1a0387cee068c5c9454ac49da2a4cfb0add192915c635b

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 09:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f73f5ee13e96ba6e97ba764358ebf950N.exe
Size

68KB
MD5

f73f5ee13e96ba6e97ba764358ebf950
SHA1

ae13964c12443d40ba1a3221c3c69b2ce89931f5
SHA256

df10603abcd5be87ed1a0387cee068c5c9454ac49da2a4cfb0add192915c635b
SHA512

a60b4fbeaeaa2f3074faed956c43394e7d7fde37b403ccbc1a34630684185b33d3e5cab26d382457e88b657c0a072b769487b14f65050da1c00a4a2c40dd7d1a
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZBX5WX5Z4/:+nyi4M34/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1912-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023604-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/1912-866-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	f73f5ee13e96ba6e97ba764358ebf950N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73f5ee13e96ba6e97ba764358ebf950N.exe

C:\Users\Admin\AppData\Local\Temp\f73f5ee13e96ba6e97ba764358ebf950N.exe
"C:\Users\Admin\AppData\Local\Temp\f73f5ee13e96ba6e97ba764358ebf950N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1012,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
68KB

MD5
c2c638eb893172e6c6935d8ff9def0eb

SHA1
ccd1e508b941b50cea65b233799bb706ac97d404

SHA256
61954eaa57870a6eb11af469e6d5bd5e39b7f2258d9dafe6e384a8c83160eefc

SHA512
0e5a6211da5b05f7fcadafc9cdae6f2b313f237fabf1771c1f7f4b4f2d568ed70fd312300059b5aeba05012b77e591a52167837fe77fe47ec580b7e1294ad5fe

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
180KB

MD5
56473fdbe63e47db04a327adbb21a04e

SHA1
970e67751e1c75b051934bef380d6efc0e1d708d

SHA256
dd709fba858314915de97d2cd3fda6db330994f3d731e91371a9d0a9868b5c3a

SHA512
d54cbc461735fff00d68e1da779338480c78dc5364532b64c8c2f73ba9589dad03f356f66fc1cfb51be78974bd15068036720ec232bf624a4f54bf3f768af1fd

Download Submit
memory/1912-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1912-866-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download