5e81772520ed399b8f1e72be0d76d88340a1fe7fd376c9ebaa0f778948ead9a4

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcad7d3f72a1620bddb3d88446aa5290N.exe
Size

84KB
MD5

bcad7d3f72a1620bddb3d88446aa5290
SHA1

4486acda01c06b388833beab28816684aa780094
SHA256

5e81772520ed399b8f1e72be0d76d88340a1fe7fd376c9ebaa0f778948ead9a4
SHA512

b35636bdb27d7048f49a33b639db2277f15bda83e55c0cbf938272eadd851198fcb0e71e03e1e179b7a184e02cc43a5f72dd6cac8b717eeabb70f2a23c8fdb07
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY546TKJ:fnyiQSox52

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1560-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233e5-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/1560-760-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	bcad7d3f72a1620bddb3d88446aa5290N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcad7d3f72a1620bddb3d88446aa5290N.exe

C:\Users\Admin\AppData\Local\Temp\bcad7d3f72a1620bddb3d88446aa5290N.exe
"C:\Users\Admin\AppData\Local\Temp\bcad7d3f72a1620bddb3d88446aa5290N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
84KB

MD5
3b39667196fdb3c1301d508c5e053518

SHA1
0144d43bc54a2c873a7e26fbed6a578f920c2dbe

SHA256
872c68a465852d3dbc33386952497ee3d89e31fb0f0accfb3b77fa82de4f5b79

SHA512
13ec03e3eaedd11a3f8633e451e0f04c939c3ac269054ac5c07e68c3ff747de933c0f22242e911759c4caccc14d0e940bc55b3857b4e4aa832606107b279e71c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
4481f36b87dc7539b3ca78ccf417be0f

SHA1
1fc41f0994d4f0113ff659ac9f5efc208b8329a1

SHA256
7fc6d7c4f816ee99c29442d78abe53efc4d7999a8fdd2a4f566742bbf0bc908f

SHA512
ebfb750b663a98cde029d2fcf6b429c1e6da5a3eee6252c11d905cbaf5fd39abcea2429b1dcc3efd7825ad0abb24b8014f427e6389bccc90dae302acff5ce004

Download Submit
memory/1560-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1560-760-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download