de78d650253b26a2fa60c62fdabdf43adde9791fccef5e00932ca87f79639c33

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c136cc7231055867f89b2f18b1dad90N.exe
Size

138KB
MD5

9c136cc7231055867f89b2f18b1dad90
SHA1

8597683c160c928ef631d0a64c917f68d5378165
SHA256

de78d650253b26a2fa60c62fdabdf43adde9791fccef5e00932ca87f79639c33
SHA512

e5424c457e041bdca97ffff5908ed0d3cfd529b4dab5b1b954260a8917b5beefc3010f53b674ee8bc998de6c2694511c6b60bac0b000247179ab6abcc5e71ae2
SSDEEP

1536:V7Zf/FAxTW/ySSh9j+9jpGnnWsgjsTn7fpXpgmvzOdSrnvOdvxoR:fny+ySSh9j+9jUnfQsTLpXYSrnvOZx2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233e0-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4848-800-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	9c136cc7231055867f89b2f18b1dad90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	9c136cc7231055867f89b2f18b1dad90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c136cc7231055867f89b2f18b1dad90N.exe

C:\Users\Admin\AppData\Local\Temp\9c136cc7231055867f89b2f18b1dad90N.exe
"C:\Users\Admin\AppData\Local\Temp\9c136cc7231055867f89b2f18b1dad90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
138KB

MD5
49ca78f8f35bd02622a570c8bd353ee3

SHA1
28613873e60f2d5bb6fe8db29fba664e3b411399

SHA256
4bb1c2c4dce6e3c3a6ea247ea9bdefe9f2029be2e06c218c99acbc3dbf3d1720

SHA512
4a9e42d442d3b4044856d0a6d48aa522d1c2fb943b0e4f460b156a048d42346aface5c4f91e32c176ab3c38160d8e23c4aec1f0b09b030feaba03106252aacfa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
237KB

MD5
eacc089c13ff76ac1ae2a71ce1f4abf4

SHA1
22883f7492569b4d330b216c39e91f3143089a1d

SHA256
bf7c4a2b4f90f7e581c0f3d58a104682812b8bc0d7a5a762d16c5fd922c4dbb9

SHA512
912a4a845a74c8a77cdde6fb811230c23bfe471a43370c92c39dc47dd393753693e657ebd160a40f43d9f52ad71842775aceafec414056c331ca9e29ed24587e

Download Submit
memory/4848-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4848-800-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download