7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 22:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
Size

48KB
MD5

29f6b0e9b91e3c965cfbb1e9fec98eba
SHA1

59d65cc3a3c233bd4d814a75191d72563fabca7b
SHA256

7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f
SHA512

dd35dfbfeae4546614e0db4ae41bc1280afb8b99b7abf49fa8d8bc7f89665221989bbb92af357dac6d5dff4d4419522f71102d392fc4b9bb47ee533aadfc6da8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI99:V7Zf/FAxTWoJJ7TP

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2596-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023466-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/2596-942-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe

C:\Users\Admin\AppData\Local\Temp\7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe
"C:\Users\Admin\AppData\Local\Temp\7035ed464e3e47e70c2f47a3509f1b4fe6dc936dfb4c0b4301734dae4ca6196f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
49KB

MD5
a1291c0ee4e90f55d45431abe7360bda

SHA1
c2c3e4fdf2cf66444f93a5d627a54b678fc6d25e

SHA256
29c77956ac8ea8cc9ccf27db862f6bb6be0485c839ca4e82148d69a7ff5d2f7f

SHA512
c2f47b8ee2c3f2a516eccd3fe0e2c6240ba6ef3fd4ee1f65368a8ab3db3f1bef5d08af7964a019b11cd6fd17c83f1aaf0530406d37a56282cba3011695539e2d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
724e19e867d2ef722c7689328ed03cff

SHA1
6e1060a368accce6579b9c8d0c7ce27719d0f19e

SHA256
886866b68465cea66eebc35aed0fd33a37f630d5179c5f671338af46c1e356e4

SHA512
0c245b04c811b1da5e049a54f00a2721442c87f1c5e9a90722518cc5c0763978404ab13d2e98177cfcf24343414029bf54025835024214dcc2919f498e00a379

Download Submit
memory/2596-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2596-942-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download