38cfb585512705551275cef8e8d0b1eb25b270c9e2ea721d357187799209c54b

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a4b281d8606e4724f75a4178c8ba30N.exe
Size

108KB
MD5

33a4b281d8606e4724f75a4178c8ba30
SHA1

ba18d71540c3480dded99b22c59e9285b6498d8d
SHA256

38cfb585512705551275cef8e8d0b1eb25b270c9e2ea721d357187799209c54b
SHA512

a7469409546752b3ce29cee0cb054055d8d3fbd7a3e8250036861b8d9c58146e719a53b253e46433c2459cff3cd319f81462524264ec08278a359b4aa404c81a
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZf2XcqvcYdnS:fnyiQSo7Zf2XLnS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4378) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1828-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002348b-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/1828-852-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a4b281d8606e4724f75a4178c8ba30N.exe

C:\Users\Admin\AppData\Local\Temp\33a4b281d8606e4724f75a4178c8ba30N.exe
"C:\Users\Admin\AppData\Local\Temp\33a4b281d8606e4724f75a4178c8ba30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
109KB

MD5
05cc046803c5144e9916db948699de66

SHA1
d395bff79d4d677051eeb82b0a43d4c8546c9b83

SHA256
b0313d2f63d77f4c0176c87e5f0a4897f3874d9ac8db921d485f3244520603c0

SHA512
7bc6ae57750adc247631ee214cf7fca2e85158578a716329d797fa57de7eb242506f07b0b94f4904c4300383e58bc57282439447d943c895c0238bdd2e10ef7e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
207KB

MD5
8dc67f0dc9311549440cfea8c3d4cc60

SHA1
a7471dbf04a21c0004d9289100f3b74324d7af1b

SHA256
48bb0bc9701b5aa5a623f72d369c1753011e1de8a0e1e66d439bd51522e1cebc

SHA512
ed41cbdfcad227ffb234c511c9b382b809a5ec1b9272be10cfc80eb523c257b178b96dfb94cbf905fa3b8e0408f5a62d37d2c2f2337e695c3a247ce6f6361f7c

Download Submit
memory/1828-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1828-852-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download