e9906761f9b202ec1aa05304c5c3cf54f3e7c2a17de69d42f3f729444f8bf00f

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a4b80bd3f981caa09029b7b5db63d10N.exe
Size

115KB
MD5

2a4b80bd3f981caa09029b7b5db63d10
SHA1

8eed08d5a4c68ca84df568f447406f035032e5c3
SHA256

e9906761f9b202ec1aa05304c5c3cf54f3e7c2a17de69d42f3f729444f8bf00f
SHA512

4922ebf76c05b28ce831c0f8c50c87412e7e68354aa0a3f3f245d7bdd35da0489102c34687aa9a078bbdb68da5b52a43ebe59097aacc3d7ac997c85eb1f914b2
SSDEEP

3072:fny15+opbmMS7BSFHQi8bLRCw/UnEllk+kffteA00afFk/cs2/n+Zlomxgr42vcL:Knri+

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4535) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3484-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023411-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/3484-846-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	2a4b80bd3f981caa09029b7b5db63d10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a4b80bd3f981caa09029b7b5db63d10N.exe

C:\Users\Admin\AppData\Local\Temp\2a4b80bd3f981caa09029b7b5db63d10N.exe
"C:\Users\Admin\AppData\Local\Temp\2a4b80bd3f981caa09029b7b5db63d10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
115KB

MD5
33295c116502c86d358ac9b0c2deb556

SHA1
f4a0af5ac0098a5f452a796173787af1c9a8bc01

SHA256
436d2d7db09220d544e9a5d771158f118b968f898e37a73dfd77e708c3d2eddd

SHA512
2ca9593c7ae59a07b821f8feec497f7ff19b93bfa9b13f80fca82bbda5f5ff35b4d0781de544a6d02a797f4b3ca8e0a6bb0acab7768c259a5a0bbb0b76a79f44

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
214KB

MD5
2fc32c22f23ee0978f24862a25b2587e

SHA1
0e4062dd803df17aefe97b765d5ec07daa6dd83e

SHA256
2283e413996cd9cde454c5ef38a28520f734a9a7735bb168775e39d8e64ca5e9

SHA512
d5241d3400858e62593fc049eac44da88322da289f47c2f76ef5bda61111818ccb98820c1224c363f72bdd0d2dd90a9974c9f31a07ac2098449bd4844c21a767

Download Submit
memory/3484-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3484-846-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download