0e9e181b7538162c8ec6aadd45afdd0937b161c478718abe91c67fa4b0422812

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69af5312ec3f3a091c8aa403494ba840N.exe
Size

74KB
MD5

69af5312ec3f3a091c8aa403494ba840
SHA1

6d514b8965247759201886e2a81126f412832568
SHA256

0e9e181b7538162c8ec6aadd45afdd0937b161c478718abe91c67fa4b0422812
SHA512

949a3ed01e621916ff71c8712ed399a3edeb9591c6bfef2a5269459ba19213c535f7b654fdc64cfb304605529dbb51d82af1c5a47ea5248ece2d6207c70b2fa3
SSDEEP

1536:V7Zf/FAxTWC+Q8t9x2N3PhBBRldVhZC/c0JzGzTWYOeL1SSvX6ZAKnAUoVc/TwZg:fnyY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2484-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233dc-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/2484-872-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7z.sfx.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	69af5312ec3f3a091c8aa403494ba840N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69af5312ec3f3a091c8aa403494ba840N.exe

C:\Users\Admin\AppData\Local\Temp\69af5312ec3f3a091c8aa403494ba840N.exe
"C:\Users\Admin\AppData\Local\Temp\69af5312ec3f3a091c8aa403494ba840N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
74KB

MD5
03cd758dedf9d61e4e9419c9f73bfae6

SHA1
fb84dec71f4ec24762c9be21b456c8d59e40da80

SHA256
166ce9baec871d8bfe006923dc0e82831529da8b4a660f19fae2d9b4775090b4

SHA512
4c052ec5ab4626f4fcf5b8b8ae54f86ff897884dbda870f7637598dd2cdea28fb9f779b187915d16dd3ec7dcb5cd1bd30a4557032bb84359f1c7d5e3467b5ea4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
7926faf675f6f44ba601f7d7eec6514e

SHA1
aa177308e241ffc5f65e753df3d4ce68a233ee1e

SHA256
66d8ae5cff9f29412087e30c0fb8c523794bdb3ffb775a1cd75c009463ccc2b7

SHA512
36617d02df9bc540ebd912ba156857d8d15aef4cfae0053d27cd36675120c8596be83661347950735afa4b8887007f194c16f7c0bb214546ee644bc502450419

Download Submit
memory/2484-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2484-872-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download