d57e2fa3af2fb7c01cdcdae3f8e549514785c3a368473dc0ba2d04c26cb09b4d

Analysis

max time kernel
119s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 03:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82809629a5de9001142d9c9b6d088ab0N.exe
Size

61KB
MD5

82809629a5de9001142d9c9b6d088ab0
SHA1

9340b7822b356471c2be97969c2b1d2e0e09ca6d
SHA256

d57e2fa3af2fb7c01cdcdae3f8e549514785c3a368473dc0ba2d04c26cb09b4d
SHA512

6a406c3a4b8174d779f074e0f07590a6aff1e7196548a4a2e700341e1d27119660f56b115c9293d075268cf5d6b01ed763e7fb27948ed808be948a3db633dd2b
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIl:CTWn1++PJHJXA/OsIZfzc3/Q8IZTT

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4660) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/432-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023495-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/432-931-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\InvokeReceive.avi.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	82809629a5de9001142d9c9b6d088ab0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	82809629a5de9001142d9c9b6d088ab0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82809629a5de9001142d9c9b6d088ab0N.exe

C:\Users\Admin\AppData\Local\Temp\82809629a5de9001142d9c9b6d088ab0N.exe
"C:\Users\Admin\AppData\Local\Temp\82809629a5de9001142d9c9b6d088ab0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:432

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
61KB

MD5
83e877ad351e38d0dbe29ebdc897ce85

SHA1
b96106d9fac69538cfcb5f2b80fc954ed814e4fa

SHA256
7a7bc1c8439f1b5b3d8a2d85875c8a42f5bfc8a9e0e7de0fc66c0767acfb5ad8

SHA512
e8c67fff0a7ac1a6894f74646817d2eb1f64715b616ad6c8fa2fa804ad783e720fd298ad145be993cc7a2fd94edede758038ac5a3adb2dde3a253a016348a33b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
aad1afa47ceb5ecd5836ec15b508b6ce

SHA1
6d5a0acd0e71efe3e8dec3aecd1e3750e032576a

SHA256
fa4965a8f3e55f961fc758faa8b99b91d9743908c6b9737c71f4dcbd80064426

SHA512
7889e2f7f60a77239876553c00414d5f361db0fc40c96b9293b87451d3943f2d93843e76eaebe5774e9e249cb2b00dec8aa24529750447858c549417e7549f58

Download Submit
memory/432-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/432-931-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.