41b5f20d7c5fd70f856c7f06ed6a2dcc6b371ad1ed6075bf8f2937b4b6b68851

Analysis

max time kernel
31s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 08:34

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

7f9524756399e5f2d1e4d5db6df5ea60N.exe
Size

27KB
MD5

7f9524756399e5f2d1e4d5db6df5ea60
SHA1

7a6bb71403fbf22d9880f4dc02e89e0dbdb528eb
SHA256

41b5f20d7c5fd70f856c7f06ed6a2dcc6b371ad1ed6075bf8f2937b4b6b68851
SHA512

11859889019ca3f20e461d7bef61ecc8fe63ad5b18e81f5a0e01e0924f13aeaac1a3a8389ea61615f8a6e45554d88715caae14a8fcc0a25bb2e444affa128ebb
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9uJz:kBT37CPKKdJJ1EXBwzEXBwdcMcI9uJz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1049) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023455-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3252-1007-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	7f9524756399e5f2d1e4d5db6df5ea60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f9524756399e5f2d1e4d5db6df5ea60N.exe

C:\Users\Admin\AppData\Local\Temp\7f9524756399e5f2d1e4d5db6df5ea60N.exe
"C:\Users\Admin\AppData\Local\Temp\7f9524756399e5f2d1e4d5db6df5ea60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
28KB

MD5
53ec0dc5c99bf673b0f47aafc485b7c6

SHA1
1085a7ff47fcdec0065db0b42584217b15249974

SHA256
7e92c03f2935af57d867bf5511a26212fbefcdd3a88c51ce5038a62f08d68c65

SHA512
2e9d928edf769c65121035c71d8d3a780c049fa58c5f6083abdc6add0acc22ebc7aa7578673387afa8a0e52a6c91a93189db3aa705b792829c9e1bfbff77d304

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
126KB

MD5
0cd0e94f559fb7941c687411c5bcee62

SHA1
79156154eb19dadcd404a68342ad8824488fd833

SHA256
becde9e2ef08d42164ff1140e3fd18179f0cb81af1f1c0281b907e184d94e082

SHA512
cf4bbde0e587cac99fe0299f2cf7bfceec3944b00b2e01d5213da8a2503db863473ae7ad007bd67448568a57a6f658ff2154d96317af8cba19fcd198fa66f32c

Download Submit
memory/3252-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3252-1007-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download