9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 09:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
Size

95KB
MD5

52cf336fcad035691b5c836cf9919770
SHA1

554206730df8cdc12197d0129c3431f904db4cf7
SHA256

9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53
SHA512

668688d13c7e48a7dec4f2100f34f94bd5e1db9e2d51085f96f3d4f4f01f3091210d859f8b878f737649f125ebe93dfd9a1850aad5a8f3a4d9b447407749e318
SSDEEP

1536:V7Zf/FAxTWoJJZENTBTYhQ9TW7JJZENTBTYhQ+:fny1tEuQmtEuQ+

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2472-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023453-2.dat	upx
behavioral2/files/0x000f000000022902-6.dat	upx
behavioral2/memory/2472-896-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe

C:\Users\Admin\AppData\Local\Temp\9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe
"C:\Users\Admin\AppData\Local\Temp\9862e6f2cb25fee720d9d67c22e2d880636a5d51b163a3df57100785479d8e53N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
95KB

MD5
58b318e1810418bfd85680f1a01bcfe2

SHA1
4f23fce1be51d00d72d80c7d4196d1ccbe29767d

SHA256
299103065298b5fedddf8abd6a79d9af1456b46b7090c2d04c1e495c99f0f93f

SHA512
4e624bfcf4f7dcc1ddd0a3a3165d64932e5a0712423b454983816de7329e1a094e82a9dc080471ad7d6c755dfba8b6ba4e8cbadbd6b96617b9ecced09003b35f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
194KB

MD5
21d553fce1a0f747311600309f7fc62e

SHA1
b79bd61dbb28ad874e83ca8bc6d52db6165eca4c

SHA256
3ba1a01401821ea27630856ecafd3efb33ba03090d773a3c1f4c31ec2182f73b

SHA512
d0c8ee6166f721cc789a0c946cbc0826a057f528f453f9bb9c49bb7bfab0e539601e3a11e1befb19df930b50685ef18610e9fccc039380732be9b98dc7ae5f5e

Download Submit
memory/2472-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2472-896-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download