8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
Size

46KB
MD5

108467a588118998f14cddf26373d3a9
SHA1

ea3114410966039e1eb9ab070b00eed64a460909
SHA256

8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164
SHA512

6767dc7b426b1acbbe074f94af27f4ba6eb37ef9b0a6ff7a61ec83cf7fb40dab1e804ccee428541d1adfe1f31acf5e9505e2d4f919781dc0f15e6d76d6839f52
SSDEEP

768:kBT37CPKKdJJBZBZaOAOIB3jM2jMO/7OSbo5+Oi6Jfo5+Oi6JvEXBwzEXBwkqA7a:CTW7JJB7LD2I2IbSq+12i

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233ee-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/4512-942-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe

C:\Users\Admin\AppData\Local\Temp\8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
"C:\Users\Admin\AppData\Local\Temp\8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
46KB

MD5
d3cc679d605f4d5d369d525a0b410a08

SHA1
35dfd6f05ca7983252d938cea979e2583448063b

SHA256
3a50280999a65534e4a94b407ecd2743555f9888b3c133b58f52fe2e654cbf20

SHA512
4c94d95f9ba484730c09694f4f3c730d3bebceacb393c7ddb92893b3de2451e09708984e258a6ffcd2a7021b98fc2e6f6b88f57e9d940029a741ee2afdb6f51c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
a3e3c75b3008231de7ca5a450c7b2f26

SHA1
52c4743adc89f75f34d20303f4159cb325b58f2f

SHA256
c2f7c022bbd84cef5ace2f63db43f478287046822be0d6122f8c011e932db030

SHA512
9cb937c9e0033a98c31578036a16e9ad3dba74950c202ef9425f34bd5c0995b021ea15a8694d3bed5d041976dfabeb1e18349933f4b477cb2530e6d27a4ccdeb

Download Submit
memory/4512-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4512-942-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download