c4bd8a6a5ba2fa5b8247e67ffb1902664225642eac0a21cebc145965e64fc856

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca226b42d38a747e21571cc09025cbc0N.exe
Size

76KB
MD5

ca226b42d38a747e21571cc09025cbc0
SHA1

313988561ead0b2a179d8c2c25a15d46d044908f
SHA256

c4bd8a6a5ba2fa5b8247e67ffb1902664225642eac0a21cebc145965e64fc856
SHA512

dadac8d9326f84a42fefc66ff6fa95f8e6c5e3a5e75ed2697b0d77d37186b988de17210ee51b93e021a9a95664748998e2568ec5a756e0c18000ba735a0587fc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9woOzOuiJfoOzOuiJ1BT8:V7Zf/FAxTWoJJ7T4MgTW7JJ7T4Mt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4630) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000e0000000233fa-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/4436-874-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca226b42d38a747e21571cc09025cbc0N.exe

C:\Users\Admin\AppData\Local\Temp\ca226b42d38a747e21571cc09025cbc0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca226b42d38a747e21571cc09025cbc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
76KB

MD5
2fc0954e78337fdbc7639e3c274cd97b

SHA1
632ad2ea50bbeb31459f13a4b8d51a30bbeddedf

SHA256
6b6279ea72dc89958725f4b48282634f68b1531dfa68880d8e07558f6aad9b73

SHA512
9a0d090238b7db063db0a163fd145665e83d7986d5e1286c9f7a75eb9f9e4672f8e56eb4c07627dce168824b76847678aa4c96ff3e2865418495bc9ae0aa7639

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
4c37c46683e4437f626fbaca64621830

SHA1
a90ea3194b6bb51362241a17fc5e472430a1eeef

SHA256
fdf3b7235c09aa497a899c7e65bbeab442c3ae74cabe74d6e99151a41b830293

SHA512
9a7208d27c26b6252ed530e937e3a6649295945cee552de3342372c36cff07c760bdf02d49629f1461d17368d9132f546e237b9723812e0a96aa96247f8969b1

Download Submit
memory/4436-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4436-874-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download