b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
Size

64KB
MD5

3f7d5945d56bc18006a0b70004b20211
SHA1

05c53368538de7bb639909d039a4a3af291de469
SHA256

b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0
SHA512

d40af6ffedbebad8d800d2690da8cf7192604daeb45b4f32f7eee5f255f4e7c3c473336e50bdf1c4f8f523361d45e8b447afc00488d1595e3957c6b348c92803
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rU:V7Zf/FAxTW/ySSh9j+9jpGnb

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5038) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/788-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002341f-2.dat	upx
behavioral2/files/0x000800000002347c-6.dat	upx
behavioral2/memory/788-866-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe

C:\Users\Admin\AppData\Local\Temp\b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe
"C:\Users\Admin\AppData\Local\Temp\b22a5e99d7c86b96e49b65052e6b1717d18a436c52bd8cf232779fe50ed806b0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
64KB

MD5
32b8261c4162bb6aec4b0fb8d7a562e8

SHA1
f2050f70647b12471f69d89209ad205838ed3989

SHA256
8a2816b1fbc9ebe2492fd67019704702602265aa91dc1a4411192bfded051b55

SHA512
2a3d1249d281179c3301a79f3b7f2bb77af3a1ab71504dca7aff57ea9271124e809c6844098e5d4f2fd3cd372fb8832255deb95fdeede8818f2f1a1249ab7609

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
163KB

MD5
bac28d6a205b987bd49876671b64da27

SHA1
c7cd87d149b787e3dd446fe4731552035f125d54

SHA256
eb5a0dd4c58f5a0affc8bdff0762c063bad699650e7c7a284e5a3a56848e1056

SHA512
3cf7ad9f78ba3a136cf11231d1d8b66ee6e791d01445222a01cafd34ff8fa74ad7c51422570de9a24b6ef37ef0293e9a7780e2f2171dc1632a6413316532b63b

Download Submit
memory/788-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/788-866-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download