23642750bb00b8c8f779bfe4e8ab9eb614687329df732c821d7d4503bdbc8913

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9c4546cd6b414187d8fd9c1f1805620N.exe
Size

55KB
MD5

b9c4546cd6b414187d8fd9c1f1805620
SHA1

baa0808bbb463cfc0cf224409e37103fe237599d
SHA256

23642750bb00b8c8f779bfe4e8ab9eb614687329df732c821d7d4503bdbc8913
SHA512

6f456e6a6c2a50beba456d8c50e9fbba327af15e23001473656020d8edb0769d2ac2656b0d22ac8361cf40490b6c40700a9a1cfc354abc157eca64af7b32b4a5
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMdb:CTWUnMdyGdy4AnAP4Yrjwkh4wkhU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000800000002361f-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/3596-833-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	b9c4546cd6b414187d8fd9c1f1805620N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9c4546cd6b414187d8fd9c1f1805620N.exe

C:\Users\Admin\AppData\Local\Temp\b9c4546cd6b414187d8fd9c1f1805620N.exe
"C:\Users\Admin\AppData\Local\Temp\b9c4546cd6b414187d8fd9c1f1805620N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
55KB

MD5
45fa15c18979fb1c062d5d85589a87d2

SHA1
8d6b8a1f8bc8973e5e2d318380d5f36511a64b39

SHA256
ff6c328139d49c40a405b6dea47b3bb045abf002f912e2514249778de6ab3eda

SHA512
c7b2d5fdecd567e1438f821b3c08d3ff17d424423c16e4a51362ed98b1d3a9065ca00cdf57019c958694215cb6558c0f24a77c1ad44146ad7cd1c32a68b20de2

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
168KB

MD5
4223bd4fff64d61d15deba463270f808

SHA1
cc55d74a71e80da377118e154cf74aded6b95977

SHA256
9d6a4f99cece980bf3df93e9f38a0dc0295adb300ca875981f77185004a7142d

SHA512
d0ad8bb751e82a0cc578cea478b4fb1e60586d693a51711f87d649489b945ff5ca364e5626bdf42f463a5d0e4c3b52166d5d97c216a8220bbf44c1f1a5ec2507

Download Submit
memory/3596-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3596-833-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download