bd47661839824d42ef14f76d3bb2abf852655a87a7a466d974a8fc458dc86e54

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d60e61b5a01e6c5ca801b0834237e0N.exe
Size

166KB
MD5

16d60e61b5a01e6c5ca801b0834237e0
SHA1

1983d4cc898fd90266a9cad44c4617b2f711bf2d
SHA256

bd47661839824d42ef14f76d3bb2abf852655a87a7a466d974a8fc458dc86e54
SHA512

bc05504feb4d38740370808344f620c4b94690a44baadf347b0ca9d9fdb508bc8264a38bbcacf162e12f047268720dc5f08ef58048620de5e6aa117896daf7a2
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8zx3Y3hx+fsio5UxKzWZ64+A8C4bw2:enaypQSo6VEio5Ua4NC

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023456-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/2716-776-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\ClearPing.odp.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16d60e61b5a01e6c5ca801b0834237e0N.exe

C:\Users\Admin\AppData\Local\Temp\16d60e61b5a01e6c5ca801b0834237e0N.exe
"C:\Users\Admin\AppData\Local\Temp\16d60e61b5a01e6c5ca801b0834237e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
166KB

MD5
88db9c5473d521826a4328de0e831314

SHA1
58f8ab5e00e5aabb6a9365ae9d6c7853b6868fdc

SHA256
b5dad780cadb6b90dab73fb047f4ce2ee80c46fdc2bb8cdd337180596b11ee04

SHA512
d92ae3fe46f59e21d9860f35ae3d711394fedd07043c15d651bd3654e72586d1fa95efafccf6602d5de5bbfd7c6d5e65df8df13fceac39bf7eb93a910494d020

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
265KB

MD5
859f020c799de9f1e0f5566dd53e5d09

SHA1
9b236932e88a7eebb31b3dbfcb7aa48a89f88950

SHA256
59d30d6c994d8723f95db0fb65629105c7551524efd206ac4509fc84d981fbb0

SHA512
5409e5bb48ad3b2429a31cca4b853e70ee307c89c0019e9ed36be2a4ddc7d6f90c9719033b0c3b58348c6fc675ec6febfc74e90205c15acf985841dfa2ac5a30

Download Submit
memory/2716-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2716-776-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download