12c9bb8af3d84b3597dfd91ef663f86b7245350b3d70563ad49f5b228eab3bc8

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1da9289b56faa3c7dfc312d4d305a380N.exe
Size

46KB
MD5

1da9289b56faa3c7dfc312d4d305a380
SHA1

5a945bfe5cb8a7bdad7788b858de5db3580c7e38
SHA256

12c9bb8af3d84b3597dfd91ef663f86b7245350b3d70563ad49f5b228eab3bc8
SHA512

aa5b192d3a46bdd670aec40ac1377de480d78dcac3cdc765ce7451d391bb0820f46e6766bb8b3897e319ead6eb4bb10621bf449e93b1db53e0b25a8901591b2d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9M:V7Zf/FAxTWoJJ7Ti

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023489-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/2112-900-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	1da9289b56faa3c7dfc312d4d305a380N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1da9289b56faa3c7dfc312d4d305a380N.exe

C:\Users\Admin\AppData\Local\Temp\1da9289b56faa3c7dfc312d4d305a380N.exe
"C:\Users\Admin\AppData\Local\Temp\1da9289b56faa3c7dfc312d4d305a380N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
46KB

MD5
bf453694111648a0a33becf8b673d44d

SHA1
9dda00c3526f22eed5c8ca505ce79ab7d89cca4e

SHA256
8c7e5413a7ad3ad976dc28e1bc208ee87df125b079f256c4ed879a6d62108a17

SHA512
e13b6d279c52f88fc46910f263c38bacc99332e3a69c58fa54feccca723fc5f71d7c2d2d04af32d7dbe4565ed2f5bfeff7c238bc8aa565c4507c45b0487dfb9f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
37c139f520da67a212f89cc3f68b4ca6

SHA1
686a11aa94091d997b3802aa0e3c7a2bf1486791

SHA256
2f56ff13151d630783328474fb428bdc93ec59d22c38bdda4bd2cfe26bb0374f

SHA512
777e32b8d138d0a5d67efb9d21a242328e49fb4ba70eb16a15fad43808d910925a786210f7661e34682b0a175e44a25a6ef225ca6c7b53f6092502becd22241b

Download Submit
memory/2112-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2112-900-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download