a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
Size

53KB
MD5

628e8b85d5674912273c3e6f6748c221
SHA1

31d5e4e2cb56aac9f08c89b34bcc31ec8dec62e6
SHA256

a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687
SHA512

30fc605579eaa6de9c4cb9c15645d6304fae82d5c0b88492e0c8ce1c8b1144de08bfc06c1b0a4adeac78074a6a6d629510fd520fee0d801ef57420b6dd1d3f85
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9wStuStY:V7Zf/FAxTWoJJ7T2StuStY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4296-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023506-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/4296-902-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe

C:\Users\Admin\AppData\Local\Temp\a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe
"C:\Users\Admin\AppData\Local\Temp\a5e294381be15080017bf3fa16def69db125022761975e9aa53f31fd2a2c9687.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
53KB

MD5
1cf034f9c1e4bdfa547cdeba82f5fcc3

SHA1
a5c69f65a26d4cdb4b8bcf70ac08493e233b329c

SHA256
7edf4f2d2455804580f871cc9b97b832bb376de2af7a440b6061c9638e1c13be

SHA512
a2d778c80b42b35baa0ba5bb189fff086ef919800c8916cb052bac1862659125e639188e4c3bb178e3761ef223ff85394606bc02deab821da458154ae771f36a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
4e0e56d4c14eeb609af92993a0a8e12d

SHA1
d312961f73fddf8fec0fb472e7111dda3e7c9658

SHA256
74716d9a4ad10a1a48be7352b871debb41a9153fb75f0115f6400dfa4952c1a1

SHA512
12367f4f2593881bc0156d27ff15cc73a2373f4d94c5ad7833abc6940e07a4af3a5ccfef792f882791e06a2ea68e60ead200da96e0c86200422c926cafcdfe4e

Download Submit
memory/4296-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4296-902-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download