58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
Size

27KB
MD5

822193ceeade7e2bdf28e1379dbaecf7
SHA1

78b363628a4aff15c691e296cde83b5e641b1ba7
SHA256

58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9
SHA512

051def865a00a671fb04c7c9e539ae8b6f51b1bed5315eaeda134233082cbbb01862eb5b4ec5a7e7330555e91defcd12f66f12cbc4f305c58490096287913c90
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJhnQRE:CTW7JJ7TPUdRE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233b2-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/5112-1008-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyResume.dotx.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe

C:\Users\Admin\AppData\Local\Temp\58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
"C:\Users\Admin\AppData\Local\Temp\58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
27KB

MD5
285e3511fd975045b0dbef28315e2b6b

SHA1
b90b8572a9c77662ee85099707a091ba89322936

SHA256
6e38a9a0bcf0bf3e05616618dd859f58c3444df98ac94195f2832c70ea675fab

SHA512
c7ccded5e50bbc283f928b4462b59adb72c2a81890e44bb556b9a73ae97db6657aa88f3da38b448f837d2343e83c78e769d3563f25d58f5326083397d3112f1a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
126KB

MD5
c7df9a7c06a8f0620b88cf4523705330

SHA1
7273dcc2762969b7415da6261eb8a8bd9b3f0d09

SHA256
e73fd5ddc79b49ca3d84bd9dfe0d30751766da10b8cc72da21af654fab94846b

SHA512
dbe1551b45ff282802f1aeea91159ce1d6a5c16de0fab67f3dcb7ad5d657c195a1f42e3f508bb255e7249b9873207ce4c91036cbaee926257b6a33294a91b7f3

Download Submit
memory/5112-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5112-1008-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download