fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
Size

69KB
MD5

107dd8db84fb1246a383de95412805fa
SHA1

0611b228f03b95a191222d5880c28958d84157d3
SHA256

fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595
SHA512

7c49953f69e522d25de66d8dd35b5035f00adadc045ae494d4b5dec7aaa5e77967597db98bd3ecaad0462d471e176a0f02bf0cfb937cf9ce91e7dd2c995153d6
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tic+Llnonu:V7Zf/FAxTWoJJ7TTQoQc+LG/H/yZGMt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2424-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000800000002346e-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/2424-900-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe

C:\Users\Admin\AppData\Local\Temp\fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe
"C:\Users\Admin\AppData\Local\Temp\fd5ae0b109c12173086a1524019256bb8795320ae96d9595d57b935b33f39595.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
69KB

MD5
3eff8bf74bdc16c5b07aa7f85b6c2ffe

SHA1
9c66c01a12f0c37b64ccf8dc5ee6873c38f6144d

SHA256
bdf1cd985325c2d9fc00927e879356bc0120f6a59e42b791de59bc5751b34b1d

SHA512
f1026622065cbf6eaf59646e969a730461a4fdba1b72969d83275d005b4c328f025e1ce83d98a7d07b15218956613bafc3cfb11458a0455e744a166decefffde

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
45f1381ced151df24e6a9240858f0c3a

SHA1
1fdc1841993ac881702f34b45533396e6a1f984b

SHA256
6b6b666c00f355a148343f3a84370c06ae05c7c30f8bfebb1e988edcb00dfb18

SHA512
c79c523bfd5ae8996e0ea7e448fe65788a6816e26c66079ef3505aaf7dbcd88a379b764b269584f6b3b20f0f12ea51bd45b376ca6c59d6c263a7b0925e0e7562

Download Submit
memory/2424-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2424-900-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download