2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
Size

25KB
MD5

9b27cc2bdd005d0106f82f8eed1a2e14
SHA1

ed60f4151e0c8e3e0fd654b74749bb1669e6cf9d
SHA256

2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b
SHA512

0ce08d026dca615ffa408b1beb99d09786a50e15a6e403234c6640e032b43fd01c09390ee662c4350baa3440fdaf54019b71152e51cb044e89d789f7324c3e4a
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9ZmuOQk:kBT37CPKKdJJ1EXBwzEXBwdcMcI9nq

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/628-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002348e-2.dat	upx
behavioral2/files/0x00090000000234da-6.dat	upx
behavioral2/memory/628-866-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\License.txt.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe

C:\Users\Admin\AppData\Local\Temp\2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe
"C:\Users\Admin\AppData\Local\Temp\2a51a89080104ea9c529a3687076421acc489a348c38da0fff4b598f5b79cf5b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
25KB

MD5
05af5d3f717eda1c0c007a9629419f70

SHA1
42ee7c856ac0b9b2e845d0a69ef1047df4a8a646

SHA256
8debea963b7ac1380fd69347b40177724b6c4e3fd8566ac12d5e5bc289079274

SHA512
938699c2642c757b610c5539305ef7fc97800c2acb30070c76af4941be7152077ae9bc50c5d5a5ee0cf4b506fe0dbeec21e96bc6f6bcac23f49c3966b8dedc90

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
124KB

MD5
42a242dcd0e6022f98a521618eefe8c2

SHA1
8248a4190e5f6622039bbb523f5de72830c79e0d

SHA256
58c22c89f025a8338d442ec94865a34934401b46d03a07f5d17fb8164db8805e

SHA512
f38f65e5d7590709e4b7d44c051342e92bef08dcb1cd30e19f93683e037803a96fe3860704b55070b161d8e266777d61e92645a8dc1d95eafd8a6eeaa3dbf86b

Download Submit
memory/628-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/628-866-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download