fc2008fae59cac9219602d17c77518906d5f8dcfdc65f3ededbf7e746a2bfa1c

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb66c57f2928fe95834643eeea6b990N.exe
Size

76KB
MD5

afb66c57f2928fe95834643eeea6b990
SHA1

5b21c6068e86eed25b04543b030461a2b667159b
SHA256

fc2008fae59cac9219602d17c77518906d5f8dcfdc65f3ededbf7e746a2bfa1c
SHA512

b1e9528234c4aa07af1e2c4f720d929b6876c192d755a413809ceee9fa7e80f07db080371710440b1e2df7bc93bd7bb122053042c666a71b4204d3e1dcce947e
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rt:V7Zf/FAxTW/ySSh9j+9jpGnfO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1588-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023495-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/1588-868-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb66c57f2928fe95834643eeea6b990N.exe

C:\Users\Admin\AppData\Local\Temp\afb66c57f2928fe95834643eeea6b990N.exe
"C:\Users\Admin\AppData\Local\Temp\afb66c57f2928fe95834643eeea6b990N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
76KB

MD5
99875f90c2b25424fbf3af887478afdd

SHA1
007cee56e23d4744f2bdf02076621f0248d2fe3d

SHA256
720bb226b551844428cc005d54795f01c732fde42a34fb97dfb915fef6015de6

SHA512
cac8205982ece041b3a4b189a8a553a2dbfe60d117c0ef6fee0ba363ceef9b64faaf1471006fd64e2390b190d362c249b77a18b8d7981a43f196abf47969bbeb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
bfec62ccea9c1281a345c983887e0fd4

SHA1
97c424594c896e252639b87ec9872517d39f3907

SHA256
f0c9c14c3f0f162d96b8d9d033d878dbc900bd25617106374dae17a81cc6dc6d

SHA512
0fcfcd38f87bd6f725435d42f6801a11d32dc490393d59163a116ddf4a6561820bb31ada1d45ac4240ee8b150f2f404d3c10b4c19d93e5af6ba81d25ffdf6a64

Download Submit
memory/1588-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-868-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download