864aea20d3667e2b145e3b0e3df3ef335c58afe50c7706855c3972ea175ccd37

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 13:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a330b83b51862e816889c04021d29c0N.exe
Size

169KB
MD5

3a330b83b51862e816889c04021d29c0
SHA1

543ee9efc74960dc9f980e10ca384c14d51ddb0c
SHA256

864aea20d3667e2b145e3b0e3df3ef335c58afe50c7706855c3972ea175ccd37
SHA512

db6ed4b4239c1818ef593d8c4cc3d09c9d9a08e649080291cbba2073441fffa8b31a39fd10ae346118b78afd28c924b4aedbf1e6f4ae5d773329f5a6cee0c0ce
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8zx3Y3hx+fsio5UxKzWZ64+A8C4bwc:enaypQSo6VEio5Ua4Nw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2860-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023461-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/2860-794-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	3a330b83b51862e816889c04021d29c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a330b83b51862e816889c04021d29c0N.exe

C:\Users\Admin\AppData\Local\Temp\3a330b83b51862e816889c04021d29c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3a330b83b51862e816889c04021d29c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
169KB

MD5
6ad7968620e5f21129770a5c613b8d9a

SHA1
2d51adef7f1f5961e4a752eb02c01301d0f5fa81

SHA256
2140dd197e0ab38341ab946c63d3fe768a88d75d01cb24802eb48c4ab3a30ef7

SHA512
9902770c36dadbe002e4acb7b6ba52d57dea617b7b473feae063e26718a645ed406cfb3db4c41b1637de6e57681fe3b11a6ec526fdf14228b6fc25fb0a07cdad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
268KB

MD5
cca4145911a8279ae9346afbe78e29a6

SHA1
4175896c4a7bd4278b3563f0ae0f8f5f94fce0aa

SHA256
cd6f578ec819fe9b017ba19e636a004133a6ce84aebdb2ae82dc48b911bd691e

SHA512
9a5354b6c47ec2bf96a1172b154ebe7d3b59bd66e1ce72befe79dfe90d001bde71f6b4d3f29622871ff7cccb79d299aa2da7e5220103938f364d5b3a7d2e6b76

Download Submit
memory/2860-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2860-794-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download