f28eb19c1d7b0a6ec0728a36e05f4ecc8381c8c6306f67d58d73761037065d81

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29b7b66386eb53d288b3ede5dc6b6b0N.exe
Size

65KB
MD5

f29b7b66386eb53d288b3ede5dc6b6b0
SHA1

6d09e8945a6d2d520deadddf5017cd6a335a4d75
SHA256

f28eb19c1d7b0a6ec0728a36e05f4ecc8381c8c6306f67d58d73761037065d81
SHA512

2c3984ae9c1fbb81918d678b365aa796cd73787d575aa924df513fd0de65309c0d1888017f26cbbc0faace2fdf72a603ea512942a55dc9a21eddf1b105379fbb
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFz9:CTWn1++PJHJXA/OsIZfzc3/Q8zxSL4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1644-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000234ce-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/1644-914-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29b7b66386eb53d288b3ede5dc6b6b0N.exe

C:\Users\Admin\AppData\Local\Temp\f29b7b66386eb53d288b3ede5dc6b6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f29b7b66386eb53d288b3ede5dc6b6b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
65KB

MD5
2b9a9cea19d7f8f5a09dcc5b0742b35c

SHA1
6a4edad1fd27fe229f051adb89f58e26214f50cf

SHA256
81a3859b3a39da8a04560d6598fe5941c8119004ec4722a2b21f5c5a7b0db842

SHA512
81264687330e6fe3c6aac76bfd9dd5876176cf4d52ab673d133023f719b3da7562f226559dde90081517c4cf07fd838453ba5f1fa463fc5173616ecdd679f0ae

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
e8fa8e0e18cf9c371387188b5fc0cf64

SHA1
bfe1cc8ca74d36c64b5fd752ddc863970a920868

SHA256
aefb5bad9ae44f53fa95708e1590778fa2de58944e3de82763aff52ac142e24d

SHA512
44c19c0ab99a46169dce1edd4a0ec810e8717f26150338b35611438ea2dfdf323835ec7286cbcfc2f38968c60753b8d19049111943c038a97ba25e1d7b3dc8a4

Download Submit
memory/1644-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1644-914-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download