79f7782f60dcd10415599c97dcc5e15a429aa44d2c727471c61d61f72624adf6

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545c9db62c28f6ffdab8001f86c99be0N.exe
Size

57KB
MD5

545c9db62c28f6ffdab8001f86c99be0
SHA1

5f27d948750ebc31dd566ebb17228544133a74e7
SHA256

79f7782f60dcd10415599c97dcc5e15a429aa44d2c727471c61d61f72624adf6
SHA512

f59b8a07a75872c4bdd58326dc3bdf173f981a1ecb3c32cf5fbd3460651d3fca363cfbef997cfbc032722584304a6386f547b5899ee896289bb8196d0002deae
SSDEEP

1536:V7Zf/FAxTWoJJ7T3ja0tbmmjFFjFPjkja0tbmmjFFjFPjunhuznhuB:fny1BngzngB

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3312-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023360-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3312-854-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	545c9db62c28f6ffdab8001f86c99be0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	545c9db62c28f6ffdab8001f86c99be0N.exe

C:\Users\Admin\AppData\Local\Temp\545c9db62c28f6ffdab8001f86c99be0N.exe
"C:\Users\Admin\AppData\Local\Temp\545c9db62c28f6ffdab8001f86c99be0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
57KB

MD5
ddf676b9fa8e0ef90650a7fb5a47d156

SHA1
d2f2e8212ff961a02cf0b95badf3a30e795a3479

SHA256
8915d0a834fae9af999e3e2c2b8a0a642087000f9c380ede4826ca6c8484b0d2

SHA512
fd5174a22634d7cdead20045bc7f913d1d7a9f560a7bda7c7520ee96073549a93344e85f67b7df0b5278cac77e38983e80fffdc77b243b73bf808bc7c6922f93

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
e19e399cca4a9dec25e103c52fbfe975

SHA1
30f1b0561f50482b66f6868691c4ce359984aa16

SHA256
5e4e5879e7f07e16054535a28941377b34a4b79cd7ddf29e45754b17b1fddfda

SHA512
6a1b7ddfea85e05db2999858e2cc9e91f90b2001a5aac3b52847293b38fdd25607ff2bf60db79fdff2422cc92f3b4ff34aead7ec1f3f738b172f1c37791e7e72

Download Submit
memory/3312-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3312-854-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download