1200a049c7661c65c8abbcd0ca7dc6b3afb2d760625aa97c3fc0c8b41bdd5954

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e90ab5ef6f98bde273d4cf3463fd30N.exe
Size

66KB
MD5

39e90ab5ef6f98bde273d4cf3463fd30
SHA1

146cccc1314f748b1ebc3338245074796487e543
SHA256

1200a049c7661c65c8abbcd0ca7dc6b3afb2d760625aa97c3fc0c8b41bdd5954
SHA512

1e5a691b5eb3a18e10e389e5c0b840245d91286bfb8c70fb0cd90869db779839c04903b7ca28d712b3547eed5a9dd6e6e946c357c6ac3f1958e7ba3fb691b3c0
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzZ:CTWn1++PJHJXA/OsIZfzc3/Q8zxY5a8e

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4638) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4120-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023442-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4120-855-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39e90ab5ef6f98bde273d4cf3463fd30N.exe

C:\Users\Admin\AppData\Local\Temp\39e90ab5ef6f98bde273d4cf3463fd30N.exe
"C:\Users\Admin\AppData\Local\Temp\39e90ab5ef6f98bde273d4cf3463fd30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
66KB

MD5
83e4666bc1d68d26d891bcc876a6d836

SHA1
64aa78f746546ef36cdb740be41889affb5aab09

SHA256
bcb142c8b7b938c4b370aae4bdfcac834ff84b990cca49fde98a64ca30c398a4

SHA512
ae3dff7bbd0f0439a5a3ac9eec78455cf98dfd67078e79e184fbb7d1f180f975c8ab6e916ac18ab7e92391e32d86bdfecf9c486b6ac8bc0a571d3d83144ce7ee

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
d46c0f587d11abded264c840d2841039

SHA1
e27c9059290e82bd7987b413c96aed5830fee4fd

SHA256
8ac97730243c036e4f0275a4c2357c3175eee51ea923929db0772b138c44c4ab

SHA512
4aba17cd2a87b2024198a5d49c2223690f708666d3ec0dcc3ffcbe9ec3b50d974c3b23fcb7c3359fd40429c5d2ebe0d3b8381396bcb50183586a601a0ab61a4d

Download Submit
memory/4120-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4120-855-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download