b8a1303dd5775d23b9c2418e3c4baf6340293412246f58c4ddf3c5e9b773983d

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60cf66d71476e64ac1659d7c80a6b2b0N.exe
Size

65KB
MD5

60cf66d71476e64ac1659d7c80a6b2b0
SHA1

2b48b7c0f8bedcfe4fe2e0155aa2f43228ea556f
SHA256

b8a1303dd5775d23b9c2418e3c4baf6340293412246f58c4ddf3c5e9b773983d
SHA512

4a35fe2ab11b01010610e9ef31fe77af2243f5c6d79e7775827bce52cb2fbe6d54663af36352bc5ca22b1479e0d0e26f331fc6ca0f7ccef722305fe57028c611
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mdH:V7Zf/FAxTWoJJZENTNyl2Sm0mdnwNO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4624) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/216-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/216-858-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	60cf66d71476e64ac1659d7c80a6b2b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60cf66d71476e64ac1659d7c80a6b2b0N.exe

C:\Users\Admin\AppData\Local\Temp\60cf66d71476e64ac1659d7c80a6b2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\60cf66d71476e64ac1659d7c80a6b2b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
66KB

MD5
cd96e1b4ce856ff6b39e8c8be8f02232

SHA1
8196b81c98471b3d9f395e4d90a8e51a66dffb90

SHA256
349e8c0ac763c7737f92dcf04a5c944bb53e972ce15253efa0eb4f6098c4b31f

SHA512
6082b8f057878c37dc65a26199981948fd0b7ae0ce68a934bb872fa6e8c2e6e3732347a7a13a2510f5d94a2e5b92b57d91aa94343fcf2e69c3e5e334eb95fd08

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
d1ec1917c95bb375f7618a3cffafb4f6

SHA1
d90a8072cd257f6b6206e15513bf6256b59d7424

SHA256
896017f57f025b45c92bc59db0ad9748491f2460c2f66c2f4debe7aab12184c1

SHA512
628d4de339ca28fa50172ead7668c141eb4128d8346cbe2c1be581e6724b8d673fb6ff54106c8f028a9845207cf70925353a943864663e4bd6189dd015601b83

Download Submit
memory/216-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/216-858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download