cc9dd4b4e42b71c4110268f7534281357f02ab56b631f2ec65d6cb1eb74c3991

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b712799747fab32e90680a8fd39aef20N.exe
Size

29KB
MD5

b712799747fab32e90680a8fd39aef20
SHA1

091ecf3ccece9ad4664efae9e38f70e60db320ca
SHA256

cc9dd4b4e42b71c4110268f7534281357f02ab56b631f2ec65d6cb1eb74c3991
SHA512

d6fde3c2a89cb6010b730a089d25305b4616186bb77768c4931b4f3ae6e656a43dc51060991b40ed7ece11f98bb95da90f02421474111d765f78eb714c54654f
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9PyUV3myUV3X:CTW7JJ7TVym3mym3X

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4674) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2884-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233b8-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/2884-934-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	b712799747fab32e90680a8fd39aef20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	b712799747fab32e90680a8fd39aef20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b712799747fab32e90680a8fd39aef20N.exe

C:\Users\Admin\AppData\Local\Temp\b712799747fab32e90680a8fd39aef20N.exe
"C:\Users\Admin\AppData\Local\Temp\b712799747fab32e90680a8fd39aef20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
29KB

MD5
bc4b6290d0a04fcbb9be7193d785f52c

SHA1
aeac68b5695921d1a85984c718cc78a7a0f4f442

SHA256
9ffc8ced98b56e261b6ae333e2387e69c9fc564f6117fdd0e62dd119281910f1

SHA512
792ed6257ac997fc8a79ef64977b4af8ffbb0ac20a085ff58cc4640fe0c34dbee04de775c035cf440c74e5f3f79ef340248e096abe0ebd6fd5216dae731118d9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
128KB

MD5
61e85cc1d28506e831fbd343be164545

SHA1
4bf17acfb27a8959f5274ce2893394028b9339bd

SHA256
df47e8378c6452f230b18aa44067ecbdb9293b89907b0115cf59ff52ed6a85af

SHA512
d1a2becee62c448e8e7ba0db02d057a0566f54e7b9ab82d3cc2a10306f8cb6bc4c3358bc69b85ca57d1b1c1fc0d99d5f6cfdeee66f6bb897c247a93560021071

Download Submit
memory/2884-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2884-934-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download