10a5d37faad21303f6e1d952fa4f1ced81215d70830b3700fa61ccc5b20fdab4

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b5e8a398f5ed985102da0cce52fa40N.exe
Size

56KB
MD5

07b5e8a398f5ed985102da0cce52fa40
SHA1

3cebd492ba6a772668f643b57a21b387da2cd066
SHA256

10a5d37faad21303f6e1d952fa4f1ced81215d70830b3700fa61ccc5b20fdab4
SHA512

451349a3e183be03383818d565e99642e5337616359987eb8a870a6d5b5cb301746c488b0a9bf151328f2d6d0f94f80565f1878001426ce3254cc56fbcd3e953
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFW9:CTWn1++PJHJXA/OsIZfzc3/Q835ufF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4663) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4100-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233ed-2.dat	upx
behavioral2/files/0x000a000000023438-6.dat	upx
behavioral2/memory/4100-955-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	07b5e8a398f5ed985102da0cce52fa40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07b5e8a398f5ed985102da0cce52fa40N.exe

C:\Users\Admin\AppData\Local\Temp\07b5e8a398f5ed985102da0cce52fa40N.exe
"C:\Users\Admin\AppData\Local\Temp\07b5e8a398f5ed985102da0cce52fa40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
56KB

MD5
cce9c5cd4d705cdb7a95a3eea08783c8

SHA1
7fa21771fa90d36790f577e9fdefabcab8e62352

SHA256
e8177c5f83d02a4b5a37d27e3988860ea690985a1a13b8e44609ab3a9e02b474

SHA512
79ae0f1ef2d087c87409bc83be000004db675c3c99cd7f8896f7e7ed52d21cbe13c70052729ec3ea99e15c42ecc7077e5eba1a1ac616dcd518cc9e514c6360e8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
6283c41d402c7fd9556498c348e503d8

SHA1
364e77b5c7542008c80eae64d0aa43058fab1aed

SHA256
935c5a19f583bf6b7f30f3c6cbd3a8f4e326a81db322b11faa8ca86947348331

SHA512
a4bdaf1843def07fecffbd64272056b555d0a472705fb1281b4d14d0a00a1b44769930739fa2c32bfc88494596ac4ba6090d0b8ffb2cb608e17d5a43722f623a

Download Submit
memory/4100-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4100-955-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download