ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
Size

48KB
MD5

9fbd497d87e23606e5c71589a4279469
SHA1

4ca0e697fa2497ee2fc4da005f42b8bfc519ecaa
SHA256

ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414
SHA512

d3995bf0be630d37b41425e32498a39a7a02fd285b2df31e15d8abb2a4a9da8dd7f75cde550d8d047b3e5c9f67122f42d1fa169e48f82852a27f222b9ae5208a
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9U7:V7Zf/FAxTWoJJ7Tw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233da-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4488-896-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe

C:\Users\Admin\AppData\Local\Temp\ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe
"C:\Users\Admin\AppData\Local\Temp\ea6ef28b5078a6232208a640c37f663904c1888f606a4713df6625d5aeaf8414.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
48KB

MD5
a67f02b9599a119a83e5fa7025f019b4

SHA1
c853d96e3a657f83cd74f6eac33f0739f801e2ad

SHA256
f7cf3fb60cb80873526f408d0ba2940e2b36fd248a05e7cebbb68a911014bce0

SHA512
f8251d9bfd0db546344b1a692990b84b9ee23800ca9b3fbd7aff0c143e3fe446fa130bb5f5f20c6f01563c6f7d162da7c48d3cb29078b30a42531f265959a81b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
2695e5d37a73622d5caaded3cdc06dd6

SHA1
b5b25e2d06eef246809fa2c5d03434f11010e0b5

SHA256
b1f50ca8ee6f7af5bca7e451398ad498ade6382cceee70facbf198d098fd59f6

SHA512
5136e7ef7d030ea3f1916afe2ac8c18738d2903b5321c4344691bc655fc2c40f50e999158a4682dc07c60c713ce9bf89a3c211f7c84d32de34d676604f84abb1

Download Submit
memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4488-896-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download