c6f0396e8606fad5dfffbf2acd515a0d2595034cc173c6d0e22411e36dbd2450

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 03:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc301711647614228a77fcf6289923b0N.exe
Size

62KB
MD5

bc301711647614228a77fcf6289923b0
SHA1

b26bb708a61d0746e7c51c522fb31055c408f4f9
SHA256

c6f0396e8606fad5dfffbf2acd515a0d2595034cc173c6d0e22411e36dbd2450
SHA512

786dea074802e8b39d4c1223898ab5287197f1bae4f41d112b91f35209994d2d3dce47be06813bb930d4b5a6d519fa0b753e0117413d57e3681f74dbb485089c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rP:V7Zf/FAxTWoTtvXtvU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233c8-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/4964-902-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\HideImport.zip.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	bc301711647614228a77fcf6289923b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	bc301711647614228a77fcf6289923b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc301711647614228a77fcf6289923b0N.exe

C:\Users\Admin\AppData\Local\Temp\bc301711647614228a77fcf6289923b0N.exe
"C:\Users\Admin\AppData\Local\Temp\bc301711647614228a77fcf6289923b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
62KB

MD5
9073f8cca38d8e82e5eb62d763ffe8cf

SHA1
135ae06e2812403315253357794a93d7ced1bdda

SHA256
bb9ee4cd762e57a7d9ebbd90888fc4f0d00d3886846172713c80e66619b0af17

SHA512
048cac18ddb9a4dfa4c4c02947ff5e56e54904e1ec13047ea0375297a502a9a84c975ef0033c102575f0739e1fd0edd2379ac4bd7bb163630c813175139ba7b5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
2561afd00614d9d04928d1f577de5384

SHA1
dd2efdf216e1462c86b1866e01396cddc6c885ac

SHA256
9e5c996366649393aaea867dee8be1b7f749e16d2efe6bd05b34272724f3e58c

SHA512
b127cc6a128456883c0266f1b4c784f5e8002c504b0c6f1e444870db7585341afe2a312b62d9a8d7c1474c01a683a50e1a38cffa185b8297a67d26435698e474

Download Submit
memory/4964-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4964-902-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download