9c4fe2cb07deb134a853565e85cba74527167f1c072a08bff3439458a6c9a134

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40180e114f2d742b83e4d51fb6370d80N.exe
Size

73KB
MD5

40180e114f2d742b83e4d51fb6370d80
SHA1

46b0f86fb905fd8c5e1902428ab9baa8734167e3
SHA256

9c4fe2cb07deb134a853565e85cba74527167f1c072a08bff3439458a6c9a134
SHA512

c928eb336d1ff78825594c19b97996400c8ac6693efeb2e4ef7bae444db1bad48a97dbe85056ee9eeddd082e26bb1854284491e7d117b1f16950028bce4e5382
SSDEEP

1536:V7Zf/FAxTWoJJB7i2JalYNRw3XTW7JJB7i2JalYNRzqUS:fny1c2JaCc2Ja7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4533) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3372-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023409-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/3372-856-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40180e114f2d742b83e4d51fb6370d80N.exe

C:\Users\Admin\AppData\Local\Temp\40180e114f2d742b83e4d51fb6370d80N.exe
"C:\Users\Admin\AppData\Local\Temp\40180e114f2d742b83e4d51fb6370d80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
73KB

MD5
91de4b4c989d3eedd7486c935a5dfb10

SHA1
b222ad96a3ce834b706792f79800487d5d7b6933

SHA256
044715cf2fe0d8ef04173193c89fbda05c9c49d45e1a2303d49584c85514a1f5

SHA512
00ed435f0083c16d84e9249a7f4f0cbc8b7f4ccff993445e234004bee17a8a3ebc364d4cc21a3c88bad830273be427045e0a4ef34ba84810d8358b47441cd04b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
f656c9255e21a78703dba8848aa5e5fe

SHA1
9e4218bacf435683018738ea97241e40b7c374c1

SHA256
041390f28ffa26f1478c7c5a817c75a90ddf2cae1f929ac0171aa371c4aaef1c

SHA512
9a001ac8740e6efb926b9061067ef178446be00d38e5e59adc0d160ad8308154cf6263bd138a90ea7c38c3d585405098202ea6e0e862836232af0c1356a8951a

Download Submit
memory/3372-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3372-856-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download