40f48cee16bd5ba11b181b7ed89d1bfc8f07a6dc4955f50aba4169f288d81e3b

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c852fbe35aceb8376723a393910a8780N.exe
Size

1.0MB
MD5

c852fbe35aceb8376723a393910a8780
SHA1

c50fd70deb32ac9aac0b05f8e11b5ff9647dbcdb
SHA256

40f48cee16bd5ba11b181b7ed89d1bfc8f07a6dc4955f50aba4169f288d81e3b
SHA512

0cbdc29e6d739cd4f95957adf13799cd6a74cc0d3be348ee6969a222b26da06f1f482abfdbdb0ab33dd9fd64875fb050a7f9e66c9b31dcc1ea19d71ebd894f2a
SSDEEP

1536:V7Zf/FAxTWoJJ7TiuHJ0l3IRNeWlo9+0hh8HpE+B0XuePAY0zs1u/ET:fny1N01IRNeWlo9+0hh8HzMu3zs1u/ET

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1804) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000022705-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/4560-396-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	c852fbe35aceb8376723a393910a8780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c852fbe35aceb8376723a393910a8780N.exe

C:\Users\Admin\AppData\Local\Temp\c852fbe35aceb8376723a393910a8780N.exe
"C:\Users\Admin\AppData\Local\Temp\c852fbe35aceb8376723a393910a8780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
1.0MB

MD5
c905290455496ac6b282abfadd92bbad

SHA1
1e337dfc1e5dd2d50129c5b473f948f2629db1d2

SHA256
44d4e3ade9d340d49a0f3b74f630aa280d6635c76609b94702202d8809929b49

SHA512
62d57cf5148833faa2887f90005690a682ff753923b5ce6874db5918fa3d0e58a5396b4ede412f04f79cba4a9c1adc8fa0c536cd1250aa900a6ac29f65d94988

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
1.1MB

MD5
f683b9058bb9f07fe1fc715fef649b78

SHA1
8aad0db1cc33d9cb673674a9beb4de2b28cf28d5

SHA256
f095b47e83e1662d3674c3b1476b3c9e354aaf27bab3cc0c8dbbf879b0982a4d

SHA512
414baeee038a2757a30fc5997f5ac74484d6181c1a09024caaa7cb3f98c465ebf82357f7f093b9ebebf069b0be45f07eb7c9148d4e82e06fb315a8db93ff6fe4

Download Submit
memory/4560-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4560-396-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download