0fef482a85d668d5223212f0dd3c2692bb40b54bdf8661ae970e3aface5ed0e4

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c742691e8c1944fc68bf44be630da0N.exe
Size

36KB
MD5

48c742691e8c1944fc68bf44be630da0
SHA1

a2c8041ded913e03eb299e3ed73dd449ad7a7c09
SHA256

0fef482a85d668d5223212f0dd3c2692bb40b54bdf8661ae970e3aface5ed0e4
SHA512

7c4abf4eb7cc2b08bb5dd5f617e716fce7242519001cd64db112a62c4cc9f9b12af2d473bc450f3c25fa0df34a8dce9170990a0dc63aa3b46a212f59733b6a70
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/tijcd1:CTW7JJ7TTQoQjcL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4702) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3484-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000800000002347e-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/3484-1006-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	48c742691e8c1944fc68bf44be630da0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	48c742691e8c1944fc68bf44be630da0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48c742691e8c1944fc68bf44be630da0N.exe

C:\Users\Admin\AppData\Local\Temp\48c742691e8c1944fc68bf44be630da0N.exe
"C:\Users\Admin\AppData\Local\Temp\48c742691e8c1944fc68bf44be630da0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
36KB

MD5
7872b0b0d8c322cd9eb91a78b00a5d0f

SHA1
0c2d916bb77bae5d876417b6958e9f6a178fcf8e

SHA256
9c76fd46d6e37d8b0c7a0e6a9e44ebdebabba32380f11ada03949689c68c691c

SHA512
e60cb85631af96225134bf805b16c771f219a49d4b32ebb3fd716b0744c902d588937feb6808599f32aad14c5851464a2b084003d01788c9666b8ebe9171f1b5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
6b04935c60285f0bf5426b94c939f30e

SHA1
4ce7bf9d8278e42c693c401dd61861d1a15c0ac9

SHA256
218da4f578571c9de6a662981acaada37b33c5cbe02455eb744f238857bd0d32

SHA512
d59833cd044753da29e2e9488ee4ad4b226692607539030e4592f8adccf8e11912e88b87fc22a4111a44be383488e6e1ec541214f2dd78dd081d0633d34176cc

Download Submit
memory/3484-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3484-1006-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download