708bbaffd90863ec5252589a48fd53359e8bbe5b2a09705a557ea569c05acf34

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fa15212cd979d9fb25027c1939e2300N.exe
Size

34KB
MD5

5fa15212cd979d9fb25027c1939e2300
SHA1

2b487ce80f20f4e02beb3d1cd67b6146aae34870
SHA256

708bbaffd90863ec5252589a48fd53359e8bbe5b2a09705a557ea569c05acf34
SHA512

49e11599982a8fa99581a8f62de27488993a608bb8343a650c23ed5d7fe2d4bcc144c88abdb23e431a8c4b69b25774357b5d75136956a7043803f2447d8b035c
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9RxsZvxsZT:CTW7JJ7TXwQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4685) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023442-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4608-1011-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	5fa15212cd979d9fb25027c1939e2300N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fa15212cd979d9fb25027c1939e2300N.exe

C:\Users\Admin\AppData\Local\Temp\5fa15212cd979d9fb25027c1939e2300N.exe
"C:\Users\Admin\AppData\Local\Temp\5fa15212cd979d9fb25027c1939e2300N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
34KB

MD5
6b2dace69ab0a543bed221a8829134c8

SHA1
94b0c9f22c24a8aacb763ee37b56e644992a6e8b

SHA256
7a47252312fdf68c5e2a4effd4d115c4d1133f3e0ae0e086ef04032e826bea8c

SHA512
cf98811c7f1ea60c7aea689b1da388f5c25b888dd7fe52257dc8850804b81e9f2ca48a26df24916373adc9f41ee08495f40c1a28b129441b2b022dde83562601

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
7033c83c308cb10ce23d969af0de22ec

SHA1
684a334b61df9c45138efd38ef96c808a3991b34

SHA256
2dbaa3f06110d7d5b034d3e5dc6c8c27ae33c35142f183683fe1b00cc42f4516

SHA512
ca7a63fc564c23dc99a4262f7106b2a32ba733fafe0fe92b8a6c6b74346f36d98f9a70101aa0fd830a1720d8e6dbb3819d245ec82a80a1c122999c0cf90957a2

Download Submit
memory/4608-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4608-1011-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download