87e3f987a0bc66a440deea75c9f524ea9e73057d3e4deb5a02da18f5585114e6

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb55644dc393afc3be3206b0e244e30N.exe
Size

644KB
MD5

bcb55644dc393afc3be3206b0e244e30
SHA1

c91d20285b3a789bb1b19d7e6a114e83bf41ec1b
SHA256

87e3f987a0bc66a440deea75c9f524ea9e73057d3e4deb5a02da18f5585114e6
SHA512

99fbc268354cee4bc4fe11c7ce258a37b2b0586471c8217154f670d9ea64967c78021a928c34a7225735ca3b8d8bf4983e8e49e88ea4173bfe57426f757430dc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBApwp133EskmKK:V7Zf/FAxTWoJJZENTBAOIfmKJfmKk

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (227) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d000000012255-2.dat	upx
behavioral1/files/0x0002000000010480-6.dat	upx
behavioral1/memory/2716-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\CompleteEdit.tif.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	bcb55644dc393afc3be3206b0e244e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	bcb55644dc393afc3be3206b0e244e30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcb55644dc393afc3be3206b0e244e30N.exe

C:\Users\Admin\AppData\Local\Temp\bcb55644dc393afc3be3206b0e244e30N.exe
"C:\Users\Admin\AppData\Local\Temp\bcb55644dc393afc3be3206b0e244e30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
644KB

MD5
9212af4b065868f43c7ba3778ddb8aa4

SHA1
6a2265485ce861d005c4f8c02f7f8a0fd8561482

SHA256
f3057e27045aa48531247dc6276b0a98fc15880944053b70b5265852985a4936

SHA512
4c5a2deea8d8ad960dc8fb8c187798e8e1ada39a75878f3134079531631f1e75f4e2e717c0dee5b122c826c40d730510705cea986bea7accac182d9cd60b04a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
653KB

MD5
74050954416aad011bf34fc0b0688987

SHA1
d172695a6696c844d8cfccfa69f9a59fb1f44d07

SHA256
261256ef18a75b5c50a9cedd5e49fbf05a476389d351bcccd5804d3935edd7bc

SHA512
bffd0c66e1f83bfe24cc1858c5262f845b61ffd698bd1e55e4302cbc0eb0bd9bf6c9d58f312f6c1c000c989f870554cee452f3b82fb30cd526965a9b3c7da037

Download Submit
memory/2716-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2716-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download