5cafbebcb61bc6fa0b108fcbc955de742cb8164b00b877fe8595795ed741b53d

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9df313b811c103a233498ff7f2c3bb30N.exe
Size

27KB
MD5

9df313b811c103a233498ff7f2c3bb30
SHA1

ea637da2c01e368ace9d537e5f0ac22d99fdedd3
SHA256

5cafbebcb61bc6fa0b108fcbc955de742cb8164b00b877fe8595795ed741b53d
SHA512

3a3db99bbcbd32b0c793ac0d6e9c5783902c27c5cd60d53317d1fc969adcf6353ec7dd9d99a2ad5f6d2056a5e3e458242d099ced26e0cc5d4db79d9d34e37a23
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9HxwcFn4:CTW7JJ7Twc2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4684) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/768-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00080000000234d5-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/768-981-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	9df313b811c103a233498ff7f2c3bb30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	9df313b811c103a233498ff7f2c3bb30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9df313b811c103a233498ff7f2c3bb30N.exe

C:\Users\Admin\AppData\Local\Temp\9df313b811c103a233498ff7f2c3bb30N.exe
"C:\Users\Admin\AppData\Local\Temp\9df313b811c103a233498ff7f2c3bb30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
28KB

MD5
e7cb6fe2ca8b2bfcbd11935cf6f066db

SHA1
165f2ae8154f85e21ffd6e0f36f5926d5c163e10

SHA256
53991f91720fe03578db2bbb275d9c215499e18b01993e17daedc692b513ead0

SHA512
56b0b7537bd80313b6d257c190f461a47d6951a66ba2dac3e712ae22eb50c263c77b7a4c543a1f3b3ea3cf59a749fc84a808034ebfc8c5e0fb453a3d5aec848e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
127KB

MD5
d99cdd2e3896a1430431e2e146229964

SHA1
6df90789806d8053288179d9cc50e40152d8a167

SHA256
330a580a72c55ce09303e53ef3987817a9113448804fd608bb807f5d07d2fd84

SHA512
6680f7eef6537005a6c0cd719abe73ccd87c3739864cf9d0aa34521911960539f0fb5bcd1e037cabec59c819aff5a5fb1418e5de4af0edcd0cf9e7ede1018637

Download Submit
memory/768-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/768-981-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download