10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
Size

49KB
MD5

163cd6546e212bc3352f6d806cf9d94e
SHA1

83a59d281494f3de54ce6345f00c27c6df659d0b
SHA256

10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc
SHA512

144711dca7373ef99accd6967cacbd84788abc8c06057280241929842dc298a5492b34b84174a5b424d0c6f418373dac13f3fc739e2535db9f17724f3fbf8730
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zx35jtj9:KQSoU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023449-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3320-900-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe

C:\Users\Admin\AppData\Local\Temp\10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe
"C:\Users\Admin\AppData\Local\Temp\10b8e40e8e794d78e6459a7b30965cea9c1f36028f8585db5b9eda2321dc10dc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
50KB

MD5
367ed5f52fcaae65684b8b5145f9fb9e

SHA1
35e8c5c696fc857a0599b8afbfc1c7dcd63a1d83

SHA256
a429b41c6e1b6281a2485b01067519d13685dbd796e7a2fa09d62055a6627214

SHA512
ad2022301ed1e43e4da8f29818f285dc9af9bde10f7793fc3be24c8b7ba6fd90815b068c6f08b371f2e3464988c1377412efc3850a5690e6d28cce362fc832e0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
d1a69242c3726adf8ffe95fe323272fa

SHA1
af642d73891610a2d0b865ae67b4d7611485aed0

SHA256
3dd0957cf3439c74e05b614a51141b2fbd23f97862650920ee3964b286e40e80

SHA512
55dcf2b9413f7f0f177d72f4f5e1a735aed97c78669a37e502165c77e2523c870626731272a52d63e3cab4efc589c8aecf2ec23660eee0643b02b12e5de9af98

Download Submit
memory/3320-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3320-900-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download