7ad46d012af4ce1ac87858828fe2029d5aa967588976821fd691863cdf686e59

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 09:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a089b9173c7805bc70a82bd2753f0050N.exe
Size

120KB
MD5

a089b9173c7805bc70a82bd2753f0050
SHA1

91a1468eb2b45937fef9f5dbba25df854bb5f01c
SHA256

7ad46d012af4ce1ac87858828fe2029d5aa967588976821fd691863cdf686e59
SHA512

62de46d7daf6bea6df1d7e34c5b453fe22135bf272ba8f0bab9f213b91d84fd68436f9916152894e06dd5fff8eb862f4df7192aa8d4b9b3da27c54673d1353af
SSDEEP

1536:V7Zf/FAxTWgGpG8n2ryruq3TWJGpG8n2ryruq+jH:fnyKp3nAqTp3nAq+jH

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4509) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3996-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023474-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3996-796-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	a089b9173c7805bc70a82bd2753f0050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	a089b9173c7805bc70a82bd2753f0050N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a089b9173c7805bc70a82bd2753f0050N.exe

C:\Users\Admin\AppData\Local\Temp\a089b9173c7805bc70a82bd2753f0050N.exe
"C:\Users\Admin\AppData\Local\Temp\a089b9173c7805bc70a82bd2753f0050N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
120KB

MD5
dfc9e369b7e209c5998159ca2de2f4f3

SHA1
d74fb4b8dff02ddd82469709d84b8dba60948318

SHA256
037e90890ac558ab05ec51279432c1719a5e54ecf49db1e1ce3916671ed90d80

SHA512
288159ac6d630c1669b74306c02280bc5e465c94e884c6aaa0ec28607b7b160213a101959766beba515e88c3909a63f0cf010f39cd258c9d4338394fc3131acd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
219KB

MD5
1e3934ea6ecf727f2fb257900213dd04

SHA1
6bee3a6c8559c922533a432bc73d2d990f205c11

SHA256
3ae05a17078ec4a119f72aa224486efacb2c9d85fe8231c55363f2a8d74b8fcc

SHA512
d87d4b14f9b0456a12886e497a153089e717ae3665f7147790ff71a4fdd49bcfea865b2a6152bc10734e45ad43a215f2c8d2e04d84209188979349497aae1b2d

Download Submit
memory/3996-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3996-796-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download