3f5583f75d4367c25a1bdf9ddd1cd1928150b9573ccdaad290c160667b01ad7a

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
Size

50KB
MD5

4b020b5c2ba64eb8ecd0f8b13dc3cb00
SHA1

6d9cf9ac70b92c5834a2faeab6ae458e854a051d
SHA256

3f5583f75d4367c25a1bdf9ddd1cd1928150b9573ccdaad290c160667b01ad7a
SHA512

9a9f4f447e3d693e34f0c251057c8be36cc725278dee8135664cab236f187b3276773862a5dac317437586eaee9d891b3399fe8e9ba41a953d1599ef1ca39cf8
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMdZ:CTWUnMdyGdy4AnAP4Ww2wg

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233cc-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/2528-934-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\LockResume.xps.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_font.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe

C:\Users\Admin\AppData\Local\Temp\4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe
"C:\Users\Admin\AppData\Local\Temp\4b020b5c2ba64eb8ecd0f8b13dc3cb00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
50KB

MD5
fccfeeb4fa92c50812d5dc8d6d4d115d

SHA1
49f4882ef150bcd0a617ca448001de29827b7f25

SHA256
c0794659561e521612a5c771f9ffef80d6cf6be7a3634db50f16f169072e1551

SHA512
bf3cce71762d3000637d6b664d44d6a3d51ea466962b04bb0cc0f9ce3fb223ac6ceb6e16da72908a28bd387dc89302f4517099090a045685ae991c6628601527

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
7cf8594db6f90ce52435f6eae5f493f0

SHA1
e9bdd0cb19c1c4ddb98fe07af8f10716617a6ac8

SHA256
2deb079e862c14f9d51e10d0de352527020e4c4708870c60fdbb118cfd6cfd56

SHA512
c9016199fbd7e97f84c53fa760f3666f44ab2a5e5c42452775df754ab564522a32d6cc71a9c876d7afdf928a90237844590af4aee5a6f4f4d44b43eba7347bf4

Download Submit
memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-934-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download