df4ca57a2a96d17344e402825c1c787935608be43d5f1abc5b57520878167277

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb7543bf304a29d9861e19deebd91d0N.exe
Size

68KB
MD5

3cb7543bf304a29d9861e19deebd91d0
SHA1

5c8f4228aea429e4fb022bc39d75b2593e10c051
SHA256

df4ca57a2a96d17344e402825c1c787935608be43d5f1abc5b57520878167277
SHA512

c9f81bafb23a6c59e59759a789561696960d55577a3420b293d300302660cc4e988f41343907d5f5c49b62545a851ae42a4ff13031a8438b729fd37341c30da8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJBZBZaOAOIB3jM2jMO/7OSbo5+Oi6Jfo5+Oit:V7Zf/FAxTWoJJB7LD2I2IbSq+6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/8-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023486-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/8-894-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe
File created	C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp	3cb7543bf304a29d9861e19deebd91d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cb7543bf304a29d9861e19deebd91d0N.exe

C:\Users\Admin\AppData\Local\Temp\3cb7543bf304a29d9861e19deebd91d0N.exe
"C:\Users\Admin\AppData\Local\Temp\3cb7543bf304a29d9861e19deebd91d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
69KB

MD5
a8a5a96c3f6f638eae1b57e36313394b

SHA1
efb4cc212da1ae693a52449037891a1dab275995

SHA256
6bab8d4d8787332ba1a60aa7bf81016fc241997fee42a7fbef05a00646c913ad

SHA512
788c4dcfd8c8a9e04b6e2341d51946ce9d153ad7f529862d13094152a5ccab688d71b70011fde57151ce881fcc0b4114541ece749d6d21f15995f1cc973e1878

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
167KB

MD5
8fabe0c4ac09498a989f5aaab5226eef

SHA1
8c9a0d5a8077940a36a36bd107024432f8773af3

SHA256
3d28d8ee8e7bc33348698d43758a78e116234566859dc1c24944f8be894b3f84

SHA512
9752d75644d2552801973be2b8bece32720f827d4971a2180c4c2014c55f4f2c79143d8c049408a879eaa0ce64ae2b300056e7d2c7dd6c8e8c75420924c90125

Download Submit
memory/8-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8-894-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download