d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
Size

62KB
MD5

a6f47ef603f3f82dd17e27481eb41910
SHA1

a29d704694bea30ad75c6891dccf6bbfc3f1c87f
SHA256

d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42
SHA512

91c73eac6e1bdf16fb68e3f4976f1d51a6a1dedf2d8b647c909465380beee35d868cdf8ccc670b3c891f96bece35b6233801759664c047ba262c0b7533468640
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBaH0PcR0PcXn5S:V7Zf/FAxTWoJJZENTB4JRJX62feNdNt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1812-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233e5-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/1812-912-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_font.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe

C:\Users\Admin\AppData\Local\Temp\d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe
"C:\Users\Admin\AppData\Local\Temp\d68a3e26016aeb95a4ddaeeae80fd72dc6a7635ac68ff6dfc58b6913e6704c42N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
63KB

MD5
83234bc13fc44b2daa75246de95beb44

SHA1
f0953c9eabb9f981470e4e8affc3d6ffa1ad0c06

SHA256
414426c2cb5711d3b978016977c4f5f920a58509fa5a01fc32632256c6d35928

SHA512
0f3b4b7b9ae4cf867f58073db73567ffcb451789548447e455bb5b07e28aaa1798c063a848bbd6bbaf17f8ff70b16bbbc3d8b0734eb180ddc5cfee014908dad7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
162KB

MD5
e240d6e97b7e5532e664e31d5f50a3c0

SHA1
408b705411e5960d242d007d5da6ce811653062a

SHA256
fe80ded233749378750e82b29ddab4798903401f44d23fdebcf6881af3ab99b1

SHA512
307be75b805e8b6ec17e4e56577e4e9e7612cb95cbe70a1c6f43ccb1bd6d9bc46d9a793eab58ef1fe586b2cbc844ce5cdf1475e5f35abca55d93f09b34c43c4a

Download Submit
memory/1812-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1812-912-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download