795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
Size

65KB
MD5

8b8b0ad3368180113e8be3ab7bf00db1
SHA1

eafd15fb8cfed45b808538e42978bf1c2c041531
SHA256

795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0
SHA512

c2ae1469da0668afe5467df19b03c0de987a02b6b942bbf5c8755dfff9e37070cefcbfaaebc226210968e71cb43fc3fc5f960efcbfb35dc058b443a486607b12
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiA:V7Zf/FAxTWoJJ7TTQoQA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4620-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233dc-2.dat	upx
behavioral2/files/0x000900000002343c-6.dat	upx
behavioral2/memory/4620-860-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\upe.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.tmp	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe

C:\Users\Admin\AppData\Local\Temp\795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe
"C:\Users\Admin\AppData\Local\Temp\795cd15f3d62cdcb45a2c81f32a8a2625560d03be8ba6fd243e6d4bc9d8f6ff0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
66KB

MD5
a2d4eb60cce9bd9f347470ae702aea24

SHA1
d4c359895ea821d07db002ec1137e5a54a13256c

SHA256
865cda6eb15001b010db557922a7a6d694f3707ffdcac7924e9866e03de045b3

SHA512
cfae0e731dfa589f5966a2ab9d9fbc418137072b97b8efeaef9a75c147b9a2c1575199f9fdb75c7b274128aedac8a5f0fda79315d308dcdc4ff8ba48b63beaf8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
34a678a98300002d64dc57c6f96e1d4d

SHA1
2efa5401e6450a1ddffab54da987d58edafa9e84

SHA256
5881a2654de20fda0c9b220d91c566dc24035cdc16d1d008bcf884f0b4406309

SHA512
d6f3dfff2981fae94edef3d8e592f83a6fa9dad8beb55c68288ae0f4f5dd393199448cd54d19d262b1cc2c25b7ab6dbdd7dee1395f77cdc99bb960d7d9085e97

Download Submit
memory/4620-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4620-860-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download