b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
Size

636KB
MD5

50598053f074ac748305775d3e749650
SHA1

0c69d1a766cc72aa53a54cc0d0d19609de1b0205
SHA256

b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2
SHA512

8743943fa39affbf43018a9d58dee47805622cba3d79697f3ddc44755b1c6ef35c16c5e0e1c7f0125dba09081238f2d6a0c359ea5bfc07c282ed20c0eaa58709
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9ebZoW:V7Zf/FAxTWoJJ7TYZoW

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2445) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1088-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023489-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/1088-482-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe

C:\Users\Admin\AppData\Local\Temp\b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe
"C:\Users\Admin\AppData\Local\Temp\b62c6e0703d82e11236088ef6db4aa40bd91e1430bfd916e68a164c2c66780c2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
636KB

MD5
09b7c9c1455cc1c2a2576439369d53dc

SHA1
3671e66cd84c10ebd9abd47a12c6d9d516bd5a1d

SHA256
c90a5dcbd15a84307073ea1534195b4e87325b84339ba91378811d9a563c2756

SHA512
0a3d98118032ca7e5f62bc60343ba26c5f1057d88ea8b25776ae1fa9902df883ec2332fa38b286505450c11c9fc8a9dac609cff8f89ada332e99f76eb3eff78e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
735KB

MD5
2ba965251844dad20345c13437fe5fa2

SHA1
12be3f7fa6f64be84db912eb82c5eebe19724dbf

SHA256
a619dd73de864973e031a23f8684747c533245422f60fc6f6e525ea5cb69b58d

SHA512
f609e50a6dbd43b0fd8d2b066cee93e7be94386985ca5cb06a0aca7ccddb9e09971090b6df533f6a239843f5f890b7a1a64c2e0a7a6181b0f872407b8875aeae

Download Submit
memory/1088-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1088-482-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download