8254f15ef51013017f7486b5e99f067c0855ccfde7e910af13b9e6d0a4329fa5

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 16:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a419c693e21e02cd4036836f87ba0960N.exe
Size

33KB
MD5

a419c693e21e02cd4036836f87ba0960
SHA1

16fb778ab3c8764f12904a5d7a2ef828a63a43e5
SHA256

8254f15ef51013017f7486b5e99f067c0855ccfde7e910af13b9e6d0a4329fa5
SHA512

201e79647d1de0a4d48c761c018bdbea44accd83c30d7fae5bd3785642b5e1596c9880952befd139144c83b1d83799f656d83dbb7cdc0ab910eda26ae23f2c2c
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9cGsGJKO:CTW7JJ7TyGsGJKO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4682) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000234ce-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4992-932-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	a419c693e21e02cd4036836f87ba0960N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a419c693e21e02cd4036836f87ba0960N.exe

C:\Users\Admin\AppData\Local\Temp\a419c693e21e02cd4036836f87ba0960N.exe
"C:\Users\Admin\AppData\Local\Temp\a419c693e21e02cd4036836f87ba0960N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
33KB

MD5
0e668cd81d5c341b14c338a3994b09f1

SHA1
80e25db4f0a466c4427220a6d8327e8ee6541120

SHA256
9985bdc3f6deb376ed058b562551c135853e9a010f29dea7929af61bf502d462

SHA512
d249c6876c118f202471b53593efa23017b6245abfb2cf0472e0baa7fee3c91a36084a6dd229437d5ef8c7b8127053bc4d1de4731023fc66764827e42b925ee1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
7210b5f358e56fc9d884257eb5a59d18

SHA1
2890fc53f5be3bedc0096f89bb919b8162211d91

SHA256
a646cd94b8a4a37b2db5b3eb9e31e1a01cc886e43470903016df19ff4a66075a

SHA512
00312f7a016b9c26511b4346980832c31c1517309f564bf7009a8c570eddd147cbdf3c4bc1ce43b59a88cbc18358deffc1c699d93839419b805233ec99df7cb2

Download Submit
memory/4992-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4992-932-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download