b5b52a7d0a1d4ebc58acb4576dcee8424b3a7474ad8aab75d002c22291b3d862

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

946949d5ae58dbacef6e5c045a7f96c0N.exe
Size

74KB
MD5

946949d5ae58dbacef6e5c045a7f96c0
SHA1

d07cc5d16cf90d5a1b0de57f24d0d2bcba5bf53b
SHA256

b5b52a7d0a1d4ebc58acb4576dcee8424b3a7474ad8aab75d002c22291b3d862
SHA512

14175c58a91ab6bd66111a301d29f72cf4971024c88740fb0938e9b26ee5c4ec91cd73dcc925bd53f57d64bcf6312bf682da683093657a9e91d70d326cdd96be
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/til5z35ztE:V7Zf/FAxTWoJJ7TTQoQlRQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1760-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a0000000234f3-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/1760-900-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	946949d5ae58dbacef6e5c045a7f96c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946949d5ae58dbacef6e5c045a7f96c0N.exe

C:\Users\Admin\AppData\Local\Temp\946949d5ae58dbacef6e5c045a7f96c0N.exe
"C:\Users\Admin\AppData\Local\Temp\946949d5ae58dbacef6e5c045a7f96c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
74KB

MD5
e1c4b6e190ea3e7f6778c4ff2bebac01

SHA1
7a64925f61d692bbd9488b3f3b34412bdbf145a1

SHA256
3a13d11a3761251f7af5ba5949408682f4a84ccdd837f47917bff10a8496c2c0

SHA512
30ba8695955e5216a70c5f0efd4553763e5215a19c3e41117646f6a216b79ca357e3c54640ed360758b602faf5237cc84797f21d7572e3f73e3b2f9316824935

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
b78d91221643e7d008bcd1139bb612eb

SHA1
2c60c729350391a632ffdceacd64c7c3ebf9b4b7

SHA256
a26f0774374071340dd4bf236b70bfa039f5db2cb47f098d8c5df3b7af8599a2

SHA512
2ff7a6e31aa95837e71e6dec6fef48d7b78f9c1f54e1354d69595937d8fe07d9dcacea2903674df6154738e19f69e180bcf9e8624535cfe441c1fd4b69d58a8a

Download Submit
memory/1760-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1760-900-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download