6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
Size

32KB
MD5

439461275670ae40830d2bc3b7a85903
SHA1

8cbd98516234447a19f396070d8c1d0bd6ff9856
SHA256

6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c
SHA512

6e77f1a10d18f804522a0781822471cbd685998804d98a8aa445986874a6b0c93f8f52cfd7be3329ba8d86ce868e06c549339d0673452bb13e2cab8ba769c0b1
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mdGRG4:CTW7JJZENTNyl2Sm0mA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023464-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/3012-903-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe

C:\Users\Admin\AppData\Local\Temp\6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
"C:\Users\Admin\AppData\Local\Temp\6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
32KB

MD5
a78e5f689656339864deb0ff21d031d2

SHA1
0a3864e0378ba7defc3e16135049d6a0f9d7f83a

SHA256
4818ef98e67f63b806f14cc7b38e352a89c7ddce689e0467a6c671d58b3ead46

SHA512
a581c2926dbedd467cf29d31a8e1c73c159b0f6b20786e5c861dc489e3cc79cd71cec0e6d0d27035247d1aee1d1947c528c59bad0d86e6a0cf19bc15135b796a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
aee5fd9ea87ff7c312fbbf4ed4fba8b2

SHA1
2855acc618b5191982a198ef7437b9f2a42b876e

SHA256
ef34f55f4db50d7eb36d4015e27c9f4127d814202a81ed98c74f5dc2ce550eef

SHA512
910ec4f47fffe97cf4a9a1ef9f9a980b96e395c708fe0340aba5281dbe77835c1e6a1a0bd5abad5cd51ddfaef6c396b9b5fc9fd52b74ee4666bbfca64fa10995

Download Submit
memory/3012-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3012-903-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download