00957362182f83cce55b62287b19acfe88e6b75f28d4c78f6b6314265aa73955

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908fa9dc6a20e673320dc96037eb1fc0N.exe
Size

42KB
MD5

908fa9dc6a20e673320dc96037eb1fc0
SHA1

52499f0cf749bc454ed215868ae922e44f2232ef
SHA256

00957362182f83cce55b62287b19acfe88e6b75f28d4c78f6b6314265aa73955
SHA512

997835dc7d032e9a4d3e069d5fb0cc8b79bbe652954ef00e170ad65eec02f28e712bd895eb81528768ae0def96b6f7c26be17e8f2cd960e71ef4a7eb8e617a41
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKvhWSwSKV0PlAoJslAoJ6:CTW7JJZENTNyoKIKMSwSKWn

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4684) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/408-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023462-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/408-908-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\BlockEnable.ods.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\desktop.ini.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	908fa9dc6a20e673320dc96037eb1fc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	908fa9dc6a20e673320dc96037eb1fc0N.exe

C:\Users\Admin\AppData\Local\Temp\908fa9dc6a20e673320dc96037eb1fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\908fa9dc6a20e673320dc96037eb1fc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
42KB

MD5
fdf77b632c5a262bfd3962d4735494da

SHA1
22a6adc1d5f4edb95b6ae862a585e653586c7803

SHA256
d3cc92c3b13f544c6269630abda42799cf313301ee8a5b369d4d1c0766e97b27

SHA512
68d7ea1074603958c700eee5c942458573a8177372797febd2091a64e6b2f816e979c1a74c3518da02f53569277443ebffb5a686641068b49dbfc05bb1ecfba2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
168a1a43cab599d7dafd88a304abc681

SHA1
635163831a36e5b76eb265948a5275a7e259c477

SHA256
0eb95f4f6cde44a0a1cf1ba0915a052b6ec8daf9f276b0bcf61427a09f34d7e2

SHA512
55af243efe39e972e064e493853f26b96129e2ebcfba7210015647834d28dac5c7861b34996d1e4a972db3d136fcd542a808b43ed5a0e3a8beff56a33b36ad1e

Download Submit
memory/408-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/408-908-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download