ef2d0f0194ac41f708f2f866317ff4656d0abc4c57290f33eac20bac04d02acc

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83a6e62d580c2a5ec6a6899c798e220N.exe
Size

90KB
MD5

d83a6e62d580c2a5ec6a6899c798e220
SHA1

461e8d6daa195c63fba3ca0e402dbcfab0c17082
SHA256

ef2d0f0194ac41f708f2f866317ff4656d0abc4c57290f33eac20bac04d02acc
SHA512

c738019ce95e43153bd207d1c94da5095fc7d069c587be52de5ef978ab25d7d1e9c8c4585bb30774fe7d08ab1677c1ca46d46f921a27449841f7de9982b2b9e6
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fCtyT25:enaypQSosk725

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233ef-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/2564-856-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	d83a6e62d580c2a5ec6a6899c798e220N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d83a6e62d580c2a5ec6a6899c798e220N.exe

C:\Users\Admin\AppData\Local\Temp\d83a6e62d580c2a5ec6a6899c798e220N.exe
"C:\Users\Admin\AppData\Local\Temp\d83a6e62d580c2a5ec6a6899c798e220N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
90KB

MD5
2271f366fe0b9db0c4d788e0738288a3

SHA1
a0501072dd102eaa4c8e553bc69972f5d4db4383

SHA256
2d8a63ea4a858844e4eae27a2f898bac930397381a27bc0724c3e23045e5425c

SHA512
4db2b7b6a0e4c313798a921b396c1f5b274eaa930fa08c1107c7b3dfcba09a27b1d8e0bd519356d58975f00913589aed140fe9228a6bbd07145e98718b04b656

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
a029f24e1793fedab40413100692c9f4

SHA1
f00964d269ebfb0fbc3c068a519cdc2d52cdb156

SHA256
13751f57dea50b83ada09822a6f62b06d74ca8bf390f2f03bbae757c796181dc

SHA512
fce5ea847dad39327248bbeda84a1668fba5600d3f020c859629567da8a3fbb5af198bb8626edc0818e106bacb29fa7525ebbc81cb3339b0d88911242235342d

Download Submit
memory/2564-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2564-856-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download