f6453abc1cdb1edc6cea55032b8256e0485039714d6501f913a722bfbf1e8b6b

Analysis

max time kernel
81s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0805fa1753f1e78b4230002d023320N.exe
Size

52KB
MD5

2f0805fa1753f1e78b4230002d023320
SHA1

53ab1d5833e0794d1b2691ca04dd6031579568e5
SHA256

f6453abc1cdb1edc6cea55032b8256e0485039714d6501f913a722bfbf1e8b6b
SHA512

3b3ae8a337ee21701aa1d8ed5687f1995d86aeedaba581ae410b687b6d30b9d547441ffa79577eec34bf8a5a2f167f59725da720597bed7c51dd6987b0c58007
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFz9:CTWn1++PJHJXA/OsIZfzc3/Q8zxY5DSv

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c000000016d28-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/1624-26-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp	2f0805fa1753f1e78b4230002d023320N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	2f0805fa1753f1e78b4230002d023320N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f0805fa1753f1e78b4230002d023320N.exe

C:\Users\Admin\AppData\Local\Temp\2f0805fa1753f1e78b4230002d023320N.exe
"C:\Users\Admin\AppData\Local\Temp\2f0805fa1753f1e78b4230002d023320N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
52KB

MD5
1d9d65481cd0b908b8b544356dcb5d2d

SHA1
42dcf0f4b26c11b475837ae020b9eb3aedaee76e

SHA256
0b3a67a6cdadc7fe414e8da6cad953acb3d35611fcfe27cf08056115873cb478

SHA512
2a6de9bf1eed8d2e84d9979aafb36ed73032eacd6a3636fff4501f1bc461fe7946f0ccead975a5993bad7ba353ed1dac622f88b3109f051b5e0a7fde167dd35f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
56c3befbd317e7202509f3d6e0495f45

SHA1
3121dc6e3b2432cb4cb6dda0b8b7572b48753c92

SHA256
03ea904830002c1c0efce3477537940b23e937788a2de6351a677b90fc01b9f9

SHA512
912e1e4957603ca9425d0d3f65f30dd0c41ba82bb2c6d8e793d0a776c26e9b750b939f4d1f4e651aa44320cdb4748ffdb5eb59105d6a9fef06c34c0a0458357e

Download Submit
memory/1624-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1624-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download