5bd74eafb961341b0d4ea1d30833478921544ea3838e240c2c47dc74e478aedb

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282eeb96717802c6dbaaa744654849c0N.exe
Size

26KB
MD5

282eeb96717802c6dbaaa744654849c0
SHA1

5fde9e6d117e436a29c8786cf4fcb9d731e5828a
SHA256

5bd74eafb961341b0d4ea1d30833478921544ea3838e240c2c47dc74e478aedb
SHA512

141bf8649e06e322d90b85248d84e3831671965e84e79eef5c6192640854764174d1f6ff641f27e6ffe715bcc959f17fcdadadaf71632e5e737e828d85cdc4b2
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9dEjl:kBT37CPKKdJJ1EXBwzEXBwdcMcI9dEjl

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4681) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000a00000002345f-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4004-939-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	282eeb96717802c6dbaaa744654849c0N.exe

C:\Users\Admin\AppData\Local\Temp\282eeb96717802c6dbaaa744654849c0N.exe
"C:\Users\Admin\AppData\Local\Temp\282eeb96717802c6dbaaa744654849c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
27KB

MD5
c0582565f6c311133fbbf8344102eb7b

SHA1
034ca8ee34b1bb0510d160c9ebcbae2bffc2fb47

SHA256
a189706d9653c9aa3bcf33962abcee9dbc399d7171a7e45c6f510b9c91ac50fe

SHA512
3504a96592b5d6592538bf0e12b389b0060e45de088ee244fbbcee6b48f927fe4d2f31248dd6ba2a548bb7748563f2131fbef6448b744aa8d4249e377224f79d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
125KB

MD5
96b235b724e4363ff1f41974f8f188ef

SHA1
81b15303193933d37d214ab1f65ec92c258873df

SHA256
1b9db3902996ebe393eeacdbd03885f2f5c418b383ae2e8dca4434db05237071

SHA512
f2c822a4d9f3c333a1af0f9e01f0347e7f0ee75bc22e00dae8f5d404c005d644e0e6c669b872e35af4f33ede8825bc2604ca372e4192e0670ce1bff25f7bd5a2

Download Submit
memory/4004-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4004-939-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download