5652fa2647bc975bd29cba68fd06aab3f0d3ea95c7a838730a2f6bd7e107cff5

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed215f25429217a88a7eb2fd3823ea50N.exe
Size

50KB
MD5

ed215f25429217a88a7eb2fd3823ea50
SHA1

44d33a73adf126c195565f5e218dc9c4c1db2fca
SHA256

5652fa2647bc975bd29cba68fd06aab3f0d3ea95c7a838730a2f6bd7e107cff5
SHA512

ebf7d51474c2ddaffe73e45b299a5f1d5c5126f5c358475c29a762457bb62be958acf50905bb0f1b528a95acd440d60ec9db88c2f6817e6da9b6fe3a23f5009b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI953NIw3NIl:V7Zf/FAxTWoJJ7TH3NIw3NIl

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023462-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/2624-878-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	ed215f25429217a88a7eb2fd3823ea50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed215f25429217a88a7eb2fd3823ea50N.exe

C:\Users\Admin\AppData\Local\Temp\ed215f25429217a88a7eb2fd3823ea50N.exe
"C:\Users\Admin\AppData\Local\Temp\ed215f25429217a88a7eb2fd3823ea50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
51KB

MD5
0882b863afcd7f41724c6231e8821117

SHA1
83de3fdc038a0330572a5e0522211aacaa4f461b

SHA256
dbc40738b5c56ef07308e23893ebbda50dfeb5759f9007f239fdcd116e59f9a7

SHA512
2e38175cad071f8566905b1b2d7cc9f6f2e9873139ae603dcc0e3f518ea02a4deadb4ce64c4aac140918fee9f3cffc92b218b48f11094097ca3072d06e6a63a0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
4d90a2ff7ecd1f26b1d4c49d3bdeffa8

SHA1
1409b206592fb8fef4b2f257fbd8c2649ea475f7

SHA256
dce06263194bf909942964660f7f810d8d9dfe36e0435feafa69cc6e59cdc85f

SHA512
35d039bea75bb02f6765530a50a626a907bb68545abb8966b221c701a0c9e1321abdc663d51dbbdfbbc4575a9805206c43b132d34f63d55b1f79cdd65f508e10

Download Submit
memory/2624-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2624-878-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download