f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
Size

51KB
MD5

8e5e2373863984b70e647cb4f7c0c3a2
SHA1

190944fafd4d2898ccde3e5f2546dcaeda42a080
SHA256

f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d
SHA512

5adb81c1a452c39b7c555eb853c5dc604995e51c97df1d52eaea6aa4f91f11b73e82bd1ec403e077e5cb4150eaafd2cb25e3652be5143463c59d6e62892b0d3f
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9B:V7Zf/FAxTWoJJ7T/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5031) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233da-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4488-866-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe

C:\Users\Admin\AppData\Local\Temp\f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe
"C:\Users\Admin\AppData\Local\Temp\f495d69c6df22d65175b5978cfcd746b502d024ff778e1643a2cf2863f28da4d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
51KB

MD5
9bf7294dfb1daaf434dc28ea82d1c6c3

SHA1
00afdcbd8504563e3e45eaac2e2d2652b2d921fc

SHA256
2e9bb1526d304cdf60991d2a7dfc9f089d7194b1c4bc8e66461126c5a01ec222

SHA512
d7dd6d6b306a7718c50e49851f964c79848bbe7877da1360ec421ead400b6f82f8a696077ee8dd235093103e0153c477ae1bc4e8a93515c5dd0dde1f1063459d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
169901b5ac3ff38febd528bcba152937

SHA1
d8ba99158c843f0d6f64dc349a269df523c1f34d

SHA256
fefed90b77c7521a75508e4b7fcdf302f2af5049229b9e5ead1b58c7c5976b28

SHA512
e215ea577b50e6f5a2d94601260b81ca909d64b6b31852fcde51993a4c3a65681e45f90f56d036cdbbd0cc21480ab45407db84d95f6c31db08aef7918b6b4ab6

Download Submit
memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4488-866-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download