18518c3c99ac327f3a72f2707368acbc89a68472d8ae14b8b283f2074fc0ce7f

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2129e541784f6aa314c450ec5197a0N.exe
Size

30KB
MD5

3a2129e541784f6aa314c450ec5197a0
SHA1

6794959c0b45fcf42733aeaf6fb2ba57f2916c0c
SHA256

18518c3c99ac327f3a72f2707368acbc89a68472d8ae14b8b283f2074fc0ce7f
SHA512

6b5732f9b7680963c5953fd51ffc051c8c3f450d83cde7a40fc4e918e62456e1b43c76236ef12b4d2437276434d6ac077d578d51f50dc26c8b84582ef906244e
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI951ScN:CTW7JJ7TzUcN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3740-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002361c-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/3740-917-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	3a2129e541784f6aa314c450ec5197a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	3a2129e541784f6aa314c450ec5197a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a2129e541784f6aa314c450ec5197a0N.exe

C:\Users\Admin\AppData\Local\Temp\3a2129e541784f6aa314c450ec5197a0N.exe
"C:\Users\Admin\AppData\Local\Temp\3a2129e541784f6aa314c450ec5197a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
30KB

MD5
dd07a1fe64999c436b4aca485fbad270

SHA1
3d05da599515b73899ce0c1dc811e72143e5476f

SHA256
b4d63c479a2cf3a61f9692bef9663d4f19499bbe0e089d3b71071d20f07484bb

SHA512
c077e2b9475921202ea529efaf9a88fc76a4c01c08af801a0bba405aed71ca9145c57860d5714ce1a0ca9f77cb1490539a803e2471773687924ef5a64168d032

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
143KB

MD5
c87a8a95bafb0ddf24475ada00bd8de8

SHA1
52ead022008bc9c9ab9d494fe1723ee2e2944540

SHA256
cca0c50cc92f948beec76b068157e48857f54b4660aa862dda48adf0b9ad19da

SHA512
57702cbf4e35e1161abfa9416aa9b50459f51de53cf70e912d662d50d93c13187fc7669d46c30a6f96b3d819ec3b97567dc38b1e6c8a175bd5477642839cf207

Download Submit
memory/3740-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3740-917-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download