0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
Size

47KB
MD5

7ae28b256f03b46c2a4c105e2462bff9
SHA1

cccc20dccecdff5f5c44ad45f958583d5772cc47
SHA256

0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d
SHA512

4159e85bd06debf96d75a523080baedba809f7d4df6e74544ea7cec8d027dfc373dc270518e840110936dff8c6713b07fe132edd38d2a3d62c14dedb18445dab
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9dZN/:V7Zf/FAxTWoJJ7TpN/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234b6-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/2300-914-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\desktop.ini.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe

C:\Users\Admin\AppData\Local\Temp\0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe
"C:\Users\Admin\AppData\Local\Temp\0636904df72c7bf2791a242faefed8c0f222eb7fdde554609453e031fb063e3d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
47KB

MD5
663bb7c3e72dc265341f53cb94c65b20

SHA1
411cee7a9bb5ad48ef00bf046cba088d1a0a53a9

SHA256
1c2c9d252ef0788c36b1fb72e2c59359d1de07aa88cd1ca8c69dbb581f2e00a7

SHA512
c394fc3d166ca3b44b37ad93f96043b5b2cb176ea89222105e7aacfbf5c644a73ceaa5fdb967707faaedab55f9b50a19ef416f484848483be59ad42b315e4d1e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
9668fd57fc0d0a86d8b831399e3c1926

SHA1
d8aa1b2130c7be8c70d03184e6a5129c778bf26b

SHA256
5d4561b00a8f1369516f667364601115443a884ac4349dda63b2b37b4dad982c

SHA512
1e9818a9bd64fbddf5016f0d5c895fe8b372f9989af5f7fbe5dfc33906e30f9f58f2019c381b6c8339e463a2022045aec667b97c4aa7d29714b2e5697cb01338

Download Submit
memory/2300-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2300-914-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download