e5aa0f22e5c28c3f633fd16858a1c0258d385850ac3dab68d3715b517f877696

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba878098d62de626fea3d1b281b5ae90N.exe
Size

151KB
MD5

ba878098d62de626fea3d1b281b5ae90
SHA1

d94e7d134eb760c75a52caa474c0e454f89faae1
SHA256

e5aa0f22e5c28c3f633fd16858a1c0258d385850ac3dab68d3715b517f877696
SHA512

aa9f93273206dbd5cf9420f2732c8c7fd520efdbe06bd1e8fa9d3c671747c80b882aa1674e133eab71849c0552b2c43681b6762ed51e99f2b930e8ffd0244bfb
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5a8eTWn1++PJHJXA/OsIZfzc3/Q8S:fnyiQSox5a8+QSox5a8x

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1788-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002342e-2.dat	upx
behavioral2/files/0x000c0000000220a6-7.dat	upx
behavioral2/memory/1788-810-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	ba878098d62de626fea3d1b281b5ae90N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	ba878098d62de626fea3d1b281b5ae90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba878098d62de626fea3d1b281b5ae90N.exe

C:\Users\Admin\AppData\Local\Temp\ba878098d62de626fea3d1b281b5ae90N.exe
"C:\Users\Admin\AppData\Local\Temp\ba878098d62de626fea3d1b281b5ae90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
151KB

MD5
62cea24ba1c5b400e54be2a31e1d18dc

SHA1
071c0146208a92ea64cc4e4954e2228bc608920b

SHA256
04f8d8b36857fef9aef842baf6c461b86d525a6e41dbedd6ef4effcbe1b8d040

SHA512
e96f0f65dc0ab3e3ea67c66f19a34a7c220d0020cb36deeba983ceccfbfd4294c461ce169741e7d13170b52eb8fab97494fa72e65d0b1a908b78d27dfb6cfa87

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
250KB

MD5
5fb43bb9782748309ecaf2e444cab373

SHA1
376c8f3705fd070f2600b3c903c8fe3fff101f39

SHA256
e3b675e9ff4c1d7d4d7f95dcb693b8a55aae2ff9ce0b32e5ff29b18db84fa585

SHA512
0cf44a4576b285f42037547d49bad1fdc07abd520cf5172b0c2d922ccda793eb80fb2242a98df881d331e5fc51946f9dd9dac04f8bc141abfbcf48acdcac05db

Download Submit
memory/1788-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1788-810-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download