feff7169c45789ced668b30627e6b22c8a80ec53bc9fe0691f28595c6132f198

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69aa21373078e6585155af15b8cb850N.exe
Size

27KB
MD5

a69aa21373078e6585155af15b8cb850
SHA1

0783dd15996dd6ef87f7c857e7d0463a6ed1d4d3
SHA256

feff7169c45789ced668b30627e6b22c8a80ec53bc9fe0691f28595c6132f198
SHA512

95c56dfb87d41d534db6f151e515e120fb91827a29edb2934ba454e5bfd9216a545a0167ddf123661308738401d0af80e885eb17cf02dee08618c98829740823
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9HS8fI:CTW7JJ7T1S8fI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4716-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000c000000023ba6-2.dat	upx
behavioral2/files/0x0004000000022941-6.dat	upx
behavioral2/memory/4716-784-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\InvokeAdd.avi.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	a69aa21373078e6585155af15b8cb850N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a69aa21373078e6585155af15b8cb850N.exe

C:\Users\Admin\AppData\Local\Temp\a69aa21373078e6585155af15b8cb850N.exe
"C:\Users\Admin\AppData\Local\Temp\a69aa21373078e6585155af15b8cb850N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
27KB

MD5
047b9d385a59e9ce29d5cbdde0ae88e8

SHA1
74356d7a6ac597d83b391afcdd566ee72df0b9a7

SHA256
ccc3a8115944e0086ba4030171ed91f99804110424727a911f7f8afe8c601594

SHA512
ceb41e7b334cf77e5d20d45e2fa00832fa30d31105414434f0f622b8b1d1007e94ea68d5a5eac18ab78f3b2efeafd493e00cc1512ef8f87e06f102625ece1f3d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
126KB

MD5
5a519d4d461edee35be4875e784d046e

SHA1
ba271f182141be7e42d2a683bf91d9246dc0c1b7

SHA256
eb7b36b684149e678b678b49fb6f4ce2b4ba63d9bbdb6f3b067f975f85e11d83

SHA512
697f4b50412b37f94db25d59b461db7908020704e3103e1c3e746ce475ebec31f1cd1389fef4aa82018c024d2c2cc0edfc9a41d5901b100be39c412d5e8af9da

Download Submit
memory/4716-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4716-784-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download