fe7d1611f097ca101082b821f93697d8a99329eb6940e90d57d1d456dcd32c70

Analysis

max time kernel
120s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dbea75efbeb285ea1205d67129adab0N.exe
Size

32KB
MD5

1dbea75efbeb285ea1205d67129adab0
SHA1

7cd84fa4d1745878cd7bc7f9d491c743a65eb286
SHA256

fe7d1611f097ca101082b821f93697d8a99329eb6940e90d57d1d456dcd32c70
SHA512

43a1b2dfef4a389fc15daaba1c06332dcf211791607ea0f5ffacc3c67a631165b3534de0bc40d424f995d9c590a0e1f54c0eeba85aaa1c702fedd0a57c3a0fc7
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeH3M26:CTWps

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4684) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023467-2.dat	upx
behavioral2/files/0x000f000000022902-6.dat	upx
behavioral2/memory/1636-1023-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	1dbea75efbeb285ea1205d67129adab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	1dbea75efbeb285ea1205d67129adab0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dbea75efbeb285ea1205d67129adab0N.exe

C:\Users\Admin\AppData\Local\Temp\1dbea75efbeb285ea1205d67129adab0N.exe
"C:\Users\Admin\AppData\Local\Temp\1dbea75efbeb285ea1205d67129adab0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
32KB

MD5
0fd42788ebe0e82655218fb95175e095

SHA1
48241549c4b1446ac72d831bddc18a49e1c0ea78

SHA256
04f2a929cb7e2a7f6914fb2da99713d1c8a8f489998d670d44af5272e2a80739

SHA512
53db158960b77e6dbbbf1ab135f88527cdba79a8b6fd4228e258caabc6c59250bfbdfd850218a51ca1ad47299d308cf34bf3e7ee37527cea7f0ac97be9aa4494

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
1689d460c2f8b601a342ecb191f16189

SHA1
dc5b31bb77248bb2b0c8233fdf064310113b4457

SHA256
6358c860da2663a83857eba084a0f7a2019c33672ba692a16c29961827de4217

SHA512
ff872a35a54412c7fca9815f77652bf406665289b4d7ad001d9fb19427ed3db1612a650fa29abe0039e34009d98068922193aaa0936d7179379bc760ab6e3859

Download Submit
memory/1636-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1636-1023-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download