87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
Size

26KB
MD5

0c206f3f112ccf225bedb2b062515a32
SHA1

70d78b640a89d58c358e79cfae32e3d93b64c627
SHA256

87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c
SHA512

49ae76f6a2b0b72088249033d0000db1f13b438ff05c2136918c33c3b48c0f0ea734e9adec9783f69635f7ee702edf7f41b2b9cecd7d27ac0292867b3afb7c4e
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJ6:CTW7JJ7TPUN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5349) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002348b-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/3040-1054-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe

C:\Users\Admin\AppData\Local\Temp\87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe
"C:\Users\Admin\AppData\Local\Temp\87ff90a1b3c490f79fb8d1a915730c99a1e5059a9c09147e1ad93182113c524c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
26KB

MD5
7a6c006cefb52c9a1d8325fac89dfab7

SHA1
665938e4c74113e467cb55c39a532b470c451342

SHA256
771b49593917f00f86ceece1dcf6998a8f271d460ede0acf25b50ae7d2f07a16

SHA512
096bc8ce1d7b90db60c251bb7f6fc81920eabb0cb62da0ca764e081aef5006b108a430c6c3f73d0d4727cee524e768726f214a15b7e14fd570c2206483ddfb7b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
125KB

MD5
1b847fd9475ff151f5e92e9fd17b5cee

SHA1
078210b4e00b0ad61ad4d3805dd5bfa5b9235497

SHA256
e338b9b7a42ff642b041b2e464ff1279729b5859428a9b48c903f83001a59cbe

SHA512
6396c4c0bba1ec0259b489dee76bd42adeeb1b990c0db8ff7e139775e5088a76d0065039729c297dfdbef37c58c5f3aea348b32d7c28a9f919c03ad7b5331ec0

Download Submit
memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3040-1054-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download