040d9d1b852babb989a666876605cbf8e56e3bade18fa1da874bb89548888d4c

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438789ffa009e632098f1affe8eccda0N.exe
Size

42KB
MD5

438789ffa009e632098f1affe8eccda0
SHA1

ec57ba466d82ce4cc97ec2ba63b32f9483344d92
SHA256

040d9d1b852babb989a666876605cbf8e56e3bade18fa1da874bb89548888d4c
SHA512

4c1f9bcaf2d100461839ab6d2e78d1c2318227eb7aabcc93d94b4674f3d40a666c60a45ed55c6e5a8f6bd3c7652c7b637e58f451ec22d82b14ddfac26ed90083
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKvhWSwSKV0S:CTW7JJZENTNyoKIKMSwSKWS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/976-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023472-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/976-869-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	438789ffa009e632098f1affe8eccda0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	438789ffa009e632098f1affe8eccda0N.exe

C:\Users\Admin\AppData\Local\Temp\438789ffa009e632098f1affe8eccda0N.exe
"C:\Users\Admin\AppData\Local\Temp\438789ffa009e632098f1affe8eccda0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
42KB

MD5
e859e592ad9e12048bbf52f692da98d2

SHA1
8d9e8a8939ea7447b912edbe1117d8a208d1e571

SHA256
3e41570589ead769172fbca739a506e97ad9e88402480bf3e244443079efa6ff

SHA512
d95691c33af1229d0cb8fd440d4c15d7b35d3de59e34928751a3a5bda1bff6d8b3adb9916b8ccc44aeb78050e3f1c76243f0997dcd711a60c338cb94723665f8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
e3e0e50073c8e2115375230d6b03f72d

SHA1
c0a75fe299e76640e55b936d7724af2f27bccdac

SHA256
ed1cb651aa3f6968b8e6c793972052cb09b2e61c22a870d1b625c84f40ea9f76

SHA512
610471085d74b3d82662b2d2bfe9755c19218aa6a286144b1effa8cb431ecd3a53a58be6034a613f50c7df2537c9d30b04f4cbaacc59dd6ffa41c83f30265735

Download Submit
memory/976-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/976-869-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download