248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
Size

37KB
MD5

4bd98c05d054e3c18bbd52e4cca440b2
SHA1

ddec4823f8e06e0c7edeaccb7433cf11ff153b0e
SHA256

248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e
SHA512

c66b5df787c02e3dc4139ca7a082aabfc87af251372be597f0547cb93c215ada1a8dda03386f310dd08c6e59502dbb40f7b4013653618a6ea30dab614d6725cd
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJjjzjDHnHZ:CTW7JJ7TPU83PH5

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5114) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0007000000022aa5-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/232-890-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe

C:\Users\Admin\AppData\Local\Temp\248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe
"C:\Users\Admin\AppData\Local\Temp\248c745c15bfc8080621b4720c531319d5dc1b7bab223b08e3dcd182d52d861e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
38KB

MD5
98fd3ffaf1cd9daadcda4c7d1e882e0f

SHA1
dc46a171b688e6333bb8a73ff1ae8d00b9d23ef8

SHA256
60aac471da30e621529a852e3ec9cdfa6987fafaec6acab35ef9f15f7c9d8e18

SHA512
6d536f6246927bfb62bec9a8eeaaf832816e6dbfeda367ff79eafbbb24603c74b43bc7644556d3ac28f5a7f411b5befef027f1caede3a61284307a62efee998b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
b3a0c27fe7ab844083608f9fef0bf2b2

SHA1
17929b0164964434e05e5a5219fc71a409c39bc3

SHA256
0aafc39558e0e64a5d4265d99b6f81c030df564c94f288976ec3be154cf9ab68

SHA512
737893b390667fe2689cf9691509bc88e88157aa86a976dcccc44f01911d3ee98d503d04dcb5a3c836b5325659bfb3324f9b0aa6a65e3ed0306181051a3515b2

Download Submit
memory/232-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/232-890-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download