d6a1e1b40a83198366de5362bb49fb9aa0b11ab3e89ac026d6ddedcc0073d88b

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

639498d758ae109a4fa7e8bace116cf0N.exe
Size

41KB
MD5

639498d758ae109a4fa7e8bace116cf0
SHA1

8ef03029caf7310cac1b6fa39100a36f29165dd6
SHA256

d6a1e1b40a83198366de5362bb49fb9aa0b11ab3e89ac026d6ddedcc0073d88b
SHA512

cd3b1e298eafd5aa005498eed9fbe3a59ae7ca8e022be86f440fab53483faabe4a5382d4167bdabda393ea0cb3b560b20a93311d74b57304e175f23863620a31
SSDEEP

384:FBt7Br5xjL2Kd5AsAoh6n5eaOlIBXDaU7CPKK0TIh6SjeYDTcYDTkZZ:V7Blpf/FAK65euBT37CPKK0Sj+

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4680) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3248-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233fa-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/3248-996-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	639498d758ae109a4fa7e8bace116cf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	639498d758ae109a4fa7e8bace116cf0N.exe

C:\Users\Admin\AppData\Local\Temp\639498d758ae109a4fa7e8bace116cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\639498d758ae109a4fa7e8bace116cf0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
42KB

MD5
5d2a41c6613552ce2806308b4b4769fb

SHA1
b9872d42ac3d8e1ea838eb9a3d9d32f524b1c3af

SHA256
d515475c3dcd8be71e41e1cadfbed898cfe4c1e370da5e27b21902e095216429

SHA512
f0346f1e63eb843fd65c7730708e9cc1f308ad8f2d5e6f3a3ed94fe8e012a50e3125df2f3f2aedd1568b5d719f041e694503c88b5ec1c1fc44bd5a1fa87d375e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
583e43b0a8df3a789f129907ffb1a191

SHA1
23d8499a93ba713b8eb8925f79092765190bb7f1

SHA256
92963a2686040950ab34d4c4d527fef0c472f2e92b93f1d534def4b636bd8033

SHA512
168e234333fcdaf4c6d0048887e8e6317771770adfb714d61d55a4a57fbb54caf96f4d4f0026528fd1eb3a020af1c09e1381e424c18cf3dcae0bf165705631b8

Download Submit
memory/3248-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3248-996-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download