6b41e8f07eff69ce9d036833b5de6d8f7edb3801e785a0c3bd0430027cc2731d

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 13:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b51a7566b5d2098cdf2a3524a81ffc20N.exe
Size

44KB
MD5

b51a7566b5d2098cdf2a3524a81ffc20
SHA1

388bfb4cd5bbb6be9c7b255cda752cb1989c9b7a
SHA256

6b41e8f07eff69ce9d036833b5de6d8f7edb3801e785a0c3bd0430027cc2731d
SHA512

470b21a9b9d8f7421f9287039da45254edc122cb16ed802d0a1c3e78405c419ab49430626be93385dd67c4350430fab5b386a455ca19fab677b7bb7dd814f1d3
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9nGcjkK2rvVkuSE1NGc1NGv:CTW7JJ7T7jkKCVkuSyEKEv

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4632) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2052-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023448-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/2052-909-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	b51a7566b5d2098cdf2a3524a81ffc20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b51a7566b5d2098cdf2a3524a81ffc20N.exe

C:\Users\Admin\AppData\Local\Temp\b51a7566b5d2098cdf2a3524a81ffc20N.exe
"C:\Users\Admin\AppData\Local\Temp\b51a7566b5d2098cdf2a3524a81ffc20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
44KB

MD5
6eb683a0466909681b93c41e9210aeef

SHA1
8405d9018ee266089ddcb949905a91061d419694

SHA256
9c1a91a450689db98c42bdc83c856fcaad1f0da87e3d52ccf22c65ce08e77f55

SHA512
1c63288b658a680aff84eee6f0d6713e376115526ba0e6bcd51941671082aef9fb7574d1fd85b2454a24d42e8428d6b380a1422584defffd3deb1baf9958d550

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
788473a5e76d3492d7b1322e3ac96def

SHA1
e925056ce2553ed49783ca55f7a25c65e27d43bd

SHA256
fcfd8688260e52f5d75144a70da16418d94d81e425f551c44e56d8517d69659a

SHA512
4d50b59353a25f7d95a0629b0f78ae35f26355305fafb46775dfe10de2257aceeaa3bfc48338d8ce571172cd90558d88c63fd98623d266dc2d3d50004b41c368

Download Submit
memory/2052-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2052-909-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download