6b13be9f29a56f850950a53b9896b2e151187dda33caf07b46b7d26c61d7b175

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43cf6a118438bab9f38f3e8f3bf46150N.exe
Size

58KB
MD5

43cf6a118438bab9f38f3e8f3bf46150
SHA1

852077483bf15d9684a6ac050529171d0263453e
SHA256

6b13be9f29a56f850950a53b9896b2e151187dda33caf07b46b7d26c61d7b175
SHA512

e450ef2127170d6356fd1ca4f5ae8a0b2ca7deb6465921cc64bcf6cbd3a35037bdbb0cd277381bf0ac4f930554b00f846a63c0897f2c13666df8eaaf5e0c26f9
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiPUN+:V7Zf/FAxTWoJJ7TTQoQcN+

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0003000000022ab1-2.dat	upx
behavioral2/files/0x0009000000023452-6.dat	upx
behavioral2/memory/3968-858-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\ConfirmRead.wm.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	43cf6a118438bab9f38f3e8f3bf46150N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43cf6a118438bab9f38f3e8f3bf46150N.exe

C:\Users\Admin\AppData\Local\Temp\43cf6a118438bab9f38f3e8f3bf46150N.exe
"C:\Users\Admin\AppData\Local\Temp\43cf6a118438bab9f38f3e8f3bf46150N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
58KB

MD5
7018e9010f52a76a1d7ee7ba23b55d91

SHA1
36ca31d60b0f28e7bb0d39493acf4ce0179482c2

SHA256
25db221a443037923038f6204703e1883535da278327f4a6f8b776347fe0bccf

SHA512
b2213486f235205bc7e0df607491870a11795edf2fd99fab338b03c1708af0a5a5a3c77ccb66fbc2f2da933653992bfbcb41722025d361660eac14db7f0b281c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
157KB

MD5
9243a95544882af03ee817ed8e61fa4b

SHA1
bc879521c64bba9d30c02fb92723f4ee86a1dd3f

SHA256
5628cb43d95338474d543d339e18b86dcadb4da58b4afe157bd654a1525e4938

SHA512
2dda873b4c08083cfe0c99c724c1fe81bc5ddefdeab8dd8ab431b322dc221e1ec233ebf38451325f6e36398c2bca10ca8bdfcf2e4c141a962769dcd15551ab08

Download Submit
memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3968-858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download