4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
Size

32KB
MD5

235a8e79ec275108f39af14c76bc7f75
SHA1

6256b4fa6b1a7b5bd1c17232734f378ec708a464
SHA256

4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143
SHA512

68074b3fce0eff6d9a9bb9dcabad7e5411ff4f0c87d779023a225dfcf4b5ee9b274c6ae8b950975b801d703b28ace4f580863bad8b6fcf65283bfe4cf9176910
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJ59ADJsmrPlHlB:CTW7JJZENTNyoKIKMmrP1T

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023567-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/3012-855-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe

C:\Users\Admin\AppData\Local\Temp\4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe
"C:\Users\Admin\AppData\Local\Temp\4a57ebe72950328367e4a7a96fb7be6489bb9ad4ce41a551c0fb04defbed0143.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
33KB

MD5
05c65292dd8b9882c4d85dbadbe0c647

SHA1
ce6d38dc9b88b4c64e49d3174c490d63cd54225f

SHA256
40594164d547cdaa2be8c0d101f9bc57d44d245810446dd5bf7227a07ae58a6e

SHA512
4481e949938b5450ea3ecd8f4cb5d14e6b2508c10c930227768ce134e9d6af68489179d6ade3f9d92bb67a4c563be3fdf9709f9a3ee5b74348989d129c6b81a6

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
145KB

MD5
ca263bbc00de88fd6782269543a0520c

SHA1
7a8cc4f8594d0abd4810bf5e1bea38eb03c347ba

SHA256
9b3b79c753e8c123e5f00744fcbed802f5ce4756d921e1895a59a9f91a372466

SHA512
7212dbc744e9f1e37b59e8e27033d0eb21484322dfcc58c3f8c1aab52d95dd140db12b0d673262e52180abdba30755678c4bd42fd03231c6e70b06da6f89bf57

Download Submit
memory/3012-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3012-855-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download