4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
Size

59KB
MD5

48ea42b166f71770be1c96f027276bd0
SHA1

70616c8217000cfc49d79f9d45b63d2abb6092f0
SHA256

4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09
SHA512

56a5d950f6a42308365b8666220ee6dc1c6e4ef0e95727b49daa09366a758163a61e7a1a91f3f50b0f3ed073e5b583e7639521f090640cd6df196700cd5d6758
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9nj40g40z:V7Zf/FAxTWoJJ7TJLgLz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002343b-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/4416-846-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe

C:\Users\Admin\AppData\Local\Temp\4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe
"C:\Users\Admin\AppData\Local\Temp\4222e678e8d1d7adf3de63b34ab20022c4e8ca206b59afffe92cf66db2efce09.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
59KB

MD5
a969917cea530f7ff827b1152ae4bdbf

SHA1
f1e62c4f7654d2c97ea252310e8861fb4048c82c

SHA256
d5d028fa3a7ee6e71e95eaf24ff04e6944872028930f1ca6694962e46693d525

SHA512
96b1d8dce5dc0531ebdbeb7536c59e4aed6b47428ff6210673949dc8d0f27c472686b53fb6914f6c0c2f98ac03e7109534d4dd27e85ff900bcf961fd52bdbd3b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
d860797d44de73a777facbd75d719f00

SHA1
33ff83692ccc0997dae0c41a1fb07020c0ff93ed

SHA256
e8b196bc2f821bbfbf94f009ce4c407f54ee8b5dc90b7f4f97cec4b065509e88

SHA512
b833617caca17bee8abb18370412148fa2385485decb265c184fe8f95c7d22a77f8717867b36c04f9f54b3e3fc9540a8fae9f07b2fe71629c6c83e265b948d81

Download Submit
memory/4416-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4416-846-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download