42070bf9ef37571c12244c1509c58c6cd30d9ad91e6262572fe0607a074e25c5

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21388e2d9059a00144b568bea594d1f0N.exe
Size

90KB
MD5

21388e2d9059a00144b568bea594d1f0
SHA1

e2a0398b0b773e4a3b3dc70e4fd67bfc0b976b73
SHA256

42070bf9ef37571c12244c1509c58c6cd30d9ad91e6262572fe0607a074e25c5
SHA512

7ef70385f76cf7606a916c37e0e6ccde61ac27a5d393bb6610744f41db44c4da66b821862a2d7436f912515675bbc4ad906f11d9a289505eaea0c3b12d8f0b0f
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGK5:fnyiQSohsUsUKC5

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3976-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002349c-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3976-868-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	21388e2d9059a00144b568bea594d1f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21388e2d9059a00144b568bea594d1f0N.exe

C:\Users\Admin\AppData\Local\Temp\21388e2d9059a00144b568bea594d1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\21388e2d9059a00144b568bea594d1f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
90KB

MD5
81d98e4db7e4f84b71ad5fe17e13b1f2

SHA1
f1dfadcd68ced84c3abcd2dff86ebd238617591d

SHA256
08cc86e3a447bab1e7d2430fe3c22612dc196bdde7298120ab200f94c4edde5c

SHA512
500d44883cf29e6d25c66c42f52dd94e298e41282421b9874028a2127c32f30df00044a066892d769ff1b26430ff4e3628056c3f1de02b6890f310e7697ada64

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
1aa264283920dffe51e6a62abc5c78d5

SHA1
4fa1e6e43e28c86fd5d1a6f4dfb5d1598b91608a

SHA256
95b44c080b6deaf3b1d146eacb51047214dd17f6440c4a99dbdf7792372cd69e

SHA512
7135b3c92577074aa2805d43a448104dfc12e095fcd803c19fb9ab4697d35ae24282d462bb4649e394dddf18e75358ed9c190fbee56e0a9638dc1bacd7be8808

Download Submit
memory/3976-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3976-868-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download