db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 03:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
Size

23KB
MD5

224ebd7350841f99ea0745e5d6a71f6d
SHA1

588803c9443dbbd0b52ae4e3e60f208eeb44f7ab
SHA256

db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b
SHA512

5201acc68f9d4abe3681ca2b59ba5b54805313ceaafdd3e4427d8869f5cc42b53e22ca1dc0642dc6d6d8a428f4de38672c5451ff2227c6b74b7785eac7008242
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9O:kBT37CPKKdJJ1EXBwzEXBwdcMcI9O

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/628-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00080000000234fa-2.dat	upx
behavioral2/files/0x00080000000234fd-6.dat	upx
behavioral2/memory/628-1060-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe

C:\Users\Admin\AppData\Local\Temp\db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe
"C:\Users\Admin\AppData\Local\Temp\db40a267a1e9b5040689462a0b56da2e5d594f637e5877d9c3823442d8eea33b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
23KB

MD5
872bba2a5633baa85f88a7485403cd8c

SHA1
b6e1919d14c54aabb2cf464099f97ddaa6639150

SHA256
21f88049237cc8fb57d1c33268cb52a3eef7133a492404882b502bc8645e670c

SHA512
65a2e3c4ed11270b66b4d776c22986f1de9c7ff3d1f07630eb4400527861dd82e2ad6795257ffaa268f189b2ef2bb8d93eb1a4e2961662a0c4e4af61aad89a3a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
122KB

MD5
7a39557798e42ac70afc14b6d0b27f3c

SHA1
eff89e1c9e6ec7149549a75f18b466ca49b51b9d

SHA256
efecb208a6d01fb9957e448c5ef7b7c591086f8f92c51a39a795418fab93f516

SHA512
733bc008b6c20ca95b2f5f7b9802e8f55cdc80a701456392ea9bac05f4e40ffdbd1c12ee000e80297c8bef35c6e4cf12fe44f674ae71556fc0fe94fbb0a47a68

Download Submit
memory/628-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/628-1060-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download