135e362be876da6c76a1edbd5d5278cf5058254213bcc2492911094f1adab481

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

734de762abadc837520cc099669471f0N.exe
Size

49KB
MD5

734de762abadc837520cc099669471f0
SHA1

3a77c67714593bdadb3b7b04c8b298b6f6db3868
SHA256

135e362be876da6c76a1edbd5d5278cf5058254213bcc2492911094f1adab481
SHA512

2c08e40c20e5ad08258e0aa1e5ff098922a26644edecb57f01df9310bde5d6489705d943d25b8c0e8e2839f2222cef7f3c478adb65dc929552e77bb3e2ecb415
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI97LjLNLjLGT3:V7Zf/FAxTWoJJ7T1vJvi

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023487-2.dat	upx
behavioral2/files/0x000800000002348a-6.dat	upx
behavioral2/memory/4488-944-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\HideJoin.pcx.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	734de762abadc837520cc099669471f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	734de762abadc837520cc099669471f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	734de762abadc837520cc099669471f0N.exe

C:\Users\Admin\AppData\Local\Temp\734de762abadc837520cc099669471f0N.exe
"C:\Users\Admin\AppData\Local\Temp\734de762abadc837520cc099669471f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
50KB

MD5
7995857c2e68bb8f1c203995d995f4c1

SHA1
1d8367e9fb6b794416ad2ffa13db4324aae0ae60

SHA256
94299a7d750e42fec4bdb8313b78b19df22543933d17ba6dad9e13dc1968a46b

SHA512
8235f28c5bcf0e61820b286c4b64cf4169bae34e1a8dd551f6260c0b80b322e16c74fba427e0caa3fc4a9f5b1ff9bc9df356ec95a731584e830c86d0817c2a54

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
b7a3acd31a3bd6814d0a4cf7d58e0529

SHA1
83caa3102e88cdbb08516a101e2706817f8ce5b8

SHA256
4d62cdd03cfc2d12d13ed23351f7d7d197beeb395938abca448b0eba2a8ec262

SHA512
9ed26074be1597330a61da640a0d8a9df95c813535443e2e876949f4a560394ecb2a37f036b6911160c05e04624865b921bcc122e6da712e4c23a798cf2e1dbc

Download Submit
memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4488-944-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download