2b490a946ccaab53a9d5d939a84b8bbe5bf353e0c57ea08ea45dc85d6d415401

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 22:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

522a28dade13274696b3fcff0d388a40N.exe
Size

55KB
MD5

522a28dade13274696b3fcff0d388a40
SHA1

b1e503d46135d236f9d297239876dd418ad843a4
SHA256

2b490a946ccaab53a9d5d939a84b8bbe5bf353e0c57ea08ea45dc85d6d415401
SHA512

fd99141782a321d89109cf9bfcf1c2757df129b8ab275b3db8abead91278ff0c8910ab935b0bcf0119f63996c2970dc0aa4e3a979d7a3004de363d66c7a5c3ba
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9RKJVz4QVz4B:V7Zf/FAxTWoJJ7TnKJB4QB4B

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023475-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/3488-792-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	522a28dade13274696b3fcff0d388a40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	522a28dade13274696b3fcff0d388a40N.exe

C:\Users\Admin\AppData\Local\Temp\522a28dade13274696b3fcff0d388a40N.exe
"C:\Users\Admin\AppData\Local\Temp\522a28dade13274696b3fcff0d388a40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
56KB

MD5
86e007c803d2f01f2cc295a1b281aad0

SHA1
3188c66347505a1f2c0c77981aab4e2f726c39b5

SHA256
8becf0ff1c6a3bcdc2a4e9ae8fc851bef33e683e4d2de1442b4168049d48be50

SHA512
c2ffe53a8016c30ee5e360b5b9d0d16a7e888d67cd7da4acbedb8c5f536f6ba80dd33c4a2ec0f654d82e77bae381b4445f41d090fb75cc1fb11cfaefa5c92f93

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
cb26d9d279f59660f5f314eda18c675f

SHA1
720051cdb6e3ae59a281bd9b388d70458ac64e7a

SHA256
508306b462218b06d596ecff31fb0d54491584ce5121d4e895b95077abf6fa7e

SHA512
ee4b5c764995a29eaf018bdc32826162071cee44efc5e67ffe9cd3bb25f2b1e233c17d4fe6871617c382dc19a1ba9b269ce38d0d51b11fd710dc6a726473f7a4

Download Submit
memory/3488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3488-792-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download