bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
Size

44KB
MD5

143685922828b76090efd7c974e0590f
SHA1

a408538fa4071b16f2fd7760549ece73da51bdd1
SHA256

bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68
SHA512

f8a45ee41f2af03a17e8631e037b6c23ff041ce5bd7639bfdacce443c8d5f695a8d9e64f8323019d5c24a4ca4c7a3bdbb8e35adb0caf6ac538ff3117eecbed62
SSDEEP

768:kBT37CPKKdJJTU3U2lRtJfOLP7Pki9Ei9F:CTW7JJTU3UytJfOL7k7Q

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3388-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023461-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3388-901-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointTeamSite.ico.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\ExpandAdd.TS.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe

C:\Users\Admin\AppData\Local\Temp\bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe
"C:\Users\Admin\AppData\Local\Temp\bf38a3d7ba1084bca94ee3a423ce27addb6a35428527daa434192a5e435acc68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
44KB

MD5
3a41b3e8a0026c24685fac0956f9479e

SHA1
1c9b2d878ba0177639def3f14ff6bc35dc98c517

SHA256
1f6d7bc3a2c8f2cbc85e91c1e3fac396cc84a848878d1b10ea9ac72aa2236845

SHA512
4e4fa9da48b7efb23997f99b51ddb9b10f0e81a25f6a9cf8b24147e279be5f3520968dab18ec4839e3b4f230853fa2539cbbeb765c3788b9790e9b4e2845a877

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
b596a1ef954e0dbde7722783ed1bf437

SHA1
57cbbd41491d6323606553882b6d9012c60d2edf

SHA256
bb226225690584906896c8d811944ee161d0798050e26b9e81b5d2f3325b1103

SHA512
b1c7f9eb1392aec26ffae24d7886f306e5b37f784fb49b6afe774ca409cf486b43268947ed458d09402d124b3ad15fa0ef2282fdb83ff271c8b75c647e159b4b

Download Submit
memory/3388-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3388-901-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download