c7eb25f1b2d61459f28fa2c55c1e5cfa250d9dfa3b6369bb34d9fd63cfd2c84c

Analysis

max time kernel
119s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d75605854013fbc2677fa31db356d0N.exe
Size

57KB
MD5

22d75605854013fbc2677fa31db356d0
SHA1

d2f785a95fe912c68e634d7aed76b5e32b6cb761
SHA256

c7eb25f1b2d61459f28fa2c55c1e5cfa250d9dfa3b6369bb34d9fd63cfd2c84c
SHA512

6512fb98dde957dc733d2b01ffcd16cb7ba886b63975a0d43f3a4157547da52f7bc9f1c189cf0f395bc85c4097ac73770e4e5f7bd29a82bdfafddf3339070f3e
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0md0:V7Zf/FAxTWoJJZENTNyl2Sm0mPW/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3272-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233eb-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/3272-926-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	22d75605854013fbc2677fa31db356d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22d75605854013fbc2677fa31db356d0N.exe

C:\Users\Admin\AppData\Local\Temp\22d75605854013fbc2677fa31db356d0N.exe
"C:\Users\Admin\AppData\Local\Temp\22d75605854013fbc2677fa31db356d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
57KB

MD5
6d5fe25ec8b12b9526f83756e17bb663

SHA1
253fd23a2d31cbc8604443a04885b282959f39ab

SHA256
905a857816727f0a0e955061aada236e5bc6240436936df2b49a32b985400ac4

SHA512
b2ae5fd7739cd9206719c3173b19599d9b584bcee898269d20fede111b2447da06532c1993a9551eb2043d170c8ef0d84392b4184d82bbaea0d7ba9867593fba

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
385eb64289854e6ad7f4e0f7461ffdc4

SHA1
ba8a6c6f7f6180d655f9a5a934d0a5720850ad0a

SHA256
ca9cb291c37c85ed946459406eec085b5657d5c45d7184b3a4031dbe3ece53a5

SHA512
8b95598d4190b1a47b1eb2603c04d3c267a9ae8334757dbac51ad14aed14f68505376fbbc238567160582ae89fbc926f2ca8275752d6b547cae72adbe01ce5f3

Download Submit
memory/3272-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3272-926-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download