caca2c4325695562abbdc7a18b3722ff08bb226ae7598687f43c0f57c19f1062

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fd238e2eec0ac2ee506ac8020a1950N.exe
Size

55KB
MD5

b1fd238e2eec0ac2ee506ac8020a1950
SHA1

03e59fade495dcb54e28a1e7373790d96e555f00
SHA256

caca2c4325695562abbdc7a18b3722ff08bb226ae7598687f43c0f57c19f1062
SHA512

41cfe1c6b9c7c9f6e07cd60da57ca583523ac7c6540f0964213ec1d85171dc4f4bccf7e7bb77b841d795419b194a7c9f7275fa9e87c0b82f4f2726bdc4b3b8a4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBApwp133EskmK0:V7Zf/FAxTWoJJZENTBAOIfmKJfmKO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2832-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002348e-2.dat	upx
behavioral2/files/0x000f000000022902-6.dat	upx
behavioral2/memory/2832-874-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b1fd238e2eec0ac2ee506ac8020a1950N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1fd238e2eec0ac2ee506ac8020a1950N.exe

C:\Users\Admin\AppData\Local\Temp\b1fd238e2eec0ac2ee506ac8020a1950N.exe
"C:\Users\Admin\AppData\Local\Temp\b1fd238e2eec0ac2ee506ac8020a1950N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
56KB

MD5
9e27e95bd667d6bffe268d92fe6d48c7

SHA1
25ce2483b5c5181f6b52846e7ed185253be67505

SHA256
34f0491636d16902be02ae62d4a5b35f4d29b1135729580c5fff216e4ff0d0ef

SHA512
92fcfeb0e5a4b916429fe1e367666a04eb9737dbd745d32bc34b0b119e04cfe28cc1af2cdca9ed9a1fc3291be90e62bedd5cebc4c5e967da723411ede1428182

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
e58f7109e574f96911b12229ac42287d

SHA1
be1fddeb52f97e0b4fdd0c4e9fb059c2d35190ed

SHA256
dae0c7b034e7ba6368823d03285c4c51f392f4fd66ef5285d44b7b781ba22bb8

SHA512
69dd83df12a0dcdaa0f1855c1920f26eb5dc7021637994d3d7073b6a582fc779a4b1127832499a4a4ccb5783a861c77a8da0ea9cda44e17be2b30a718a53183d

Download Submit
memory/2832-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-874-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download