4fba98f2f88a5152d9852ddb35e5fce06bb557c37ce93b5b6342dea835247826

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

465e585b0a11221449697fcdcbdbd8c0N.exe
Size

26KB
MD5

465e585b0a11221449697fcdcbdbd8c0
SHA1

b0a3397a25a8704c640688aec0f84fd6f00e2029
SHA256

4fba98f2f88a5152d9852ddb35e5fce06bb557c37ce93b5b6342dea835247826
SHA512

3be8964e1178ae05ad092ac1a7ffd805ab5190aad06c8cad8fb7961a06fc6108648541fb8bb69b075ff83615b01405308764d48f1837e404cdf1437bab9720c3
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9Q7:kBT37CPKKdJJ1EXBwzEXBwdcMcI90

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3344-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023468-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/3344-935-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	465e585b0a11221449697fcdcbdbd8c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	465e585b0a11221449697fcdcbdbd8c0N.exe

C:\Users\Admin\AppData\Local\Temp\465e585b0a11221449697fcdcbdbd8c0N.exe
"C:\Users\Admin\AppData\Local\Temp\465e585b0a11221449697fcdcbdbd8c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
27KB

MD5
171119382f1f5c32ad4edea386e84392

SHA1
e20ec2a0b4d91dbd89dc6414ef9d802a1e23d5df

SHA256
6c70e218a12c4cb3127a860f2801e44d2f05601e32283bdd32799ec7ca15203c

SHA512
02d92bef13b3046b4aa0e4f6a4c05087cdfc6b82a369d2fc3e4db041e79e3cd39ac4940ff413c8f70cceabe97478bda0144b6e4eab88be7b642055d7e6a5390a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
125KB

MD5
3dd4073374f8e56dab9312ac6fbf046d

SHA1
8c0bc196fe9bc151b23144e81a148260f24594ec

SHA256
794b8446726de1a342387d1984df122eb8acf80c58e210ddb12759d433bf7070

SHA512
30595540e4a4b4185bbb0933be3e1c0d28abdcb7fec75e9d1e41767ee10db3918562da168c4eee968a228eeed1e6b70c497c7fac65e6d1bcb7f52a1a9ab74699

Download Submit
memory/3344-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3344-935-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download