0a2244b010b77072cf71c5e4fd2191fac7738e70685f47afb6dd943c627522d8

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 10:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe2deb8248f82e7a37b8617700634d60N.exe
Size

71KB
MD5

fe2deb8248f82e7a37b8617700634d60
SHA1

6efe0e8ec294c707a4c8a0a444cedf68b170d0ef
SHA256

0a2244b010b77072cf71c5e4fd2191fac7738e70685f47afb6dd943c627522d8
SHA512

5d94ffbd92d97ac497c38c056c95d808812c761f17f703947ad97f78f2070227496e3b4831db0f44b70b07ce8e971bd8e5ab276f9fe29eafa380ffe7ad4d8c11
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q89:fnyiQSoG

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/392-918-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	fe2deb8248f82e7a37b8617700634d60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	fe2deb8248f82e7a37b8617700634d60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe2deb8248f82e7a37b8617700634d60N.exe

C:\Users\Admin\AppData\Local\Temp\fe2deb8248f82e7a37b8617700634d60N.exe
"C:\Users\Admin\AppData\Local\Temp\fe2deb8248f82e7a37b8617700634d60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
72KB

MD5
d6430a72c5f883215ac8e3c2f439c9f7

SHA1
352e60e65d000e518a521dd5b4836bd790a9a26c

SHA256
abd4d8e6688f55b34058c0b8468c36442e17ce0f4141a1f0f65af639c0675f6a

SHA512
12929f988d8e631123902970b8a6beb0c51979181632298e6e174ca886af89f0365b5442311796441908ecb33de918071db41a1519d757ff5564dbaf5f372712

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
170KB

MD5
594212dcc4a3b5de8a4e2ecae77a8cf6

SHA1
94d52acb8f328c1647958f4e65e37b75ad9ae48a

SHA256
a4bc3b6348e40d5156d8735360462b4460152052f08d21b986665c54284660c6

SHA512
ee0600a8d5b553893d99725d2e4f5e042a41cec5b9996891b24cd16226af8e08b91bb7917e595cd11a68e3b6bf8a14a891890d4dfbc5a5a95c562483cd8294c9

Download Submit
memory/392-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/392-918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download