cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 08:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
Size

53KB
MD5

564c091eddf241a46e143b130de70f60
SHA1

ab05c766e2725be4923d8466ffc2505251578587
SHA256

cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2
SHA512

7396758d1312235e263284b57cb721e05c3a080883b6f8b8c3ccc42a961cb14cf54f5eecb13fe617e4a595e707e79290d87ffdb3dff3f828aa48dcff22b3fccc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Uwm:V7Zf/FAxTWoJJ7Tiwm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4136-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000500000001e64a-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/4136-910-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe

C:\Users\Admin\AppData\Local\Temp\cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe
"C:\Users\Admin\AppData\Local\Temp\cee2a83374ff5a9a5202e744b86ba81a90322c43272d6200e6f5db0af06375a2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
53KB

MD5
50bbb5091cd5720777f8b33f0b02819e

SHA1
e9877479b5caa399f435a2021a59f0800f57e719

SHA256
18801178d0727c1a2f2f266b7303b613ad69f12b62e1846f0766e2c4b7ee58dd

SHA512
e7de25d3bf50de9a3d626890702169c6ab123a419e58b6a037fac493fe73d381627f41c91a770e3ce8cc2d400f29b8159a566d60b3eb9097ba1f9b572da3bf9a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
09ac3f9aac4501fd4c544efbf2baf273

SHA1
6d36ab3db962532febba18dc051123f1c663ebbf

SHA256
7119e5deac3ad372369b3465a96daf4713ab3e99402cba3e5754669b8ee41d20

SHA512
7c8e37cb309687f8f5fd8fa82d6c2dba58699bfb26e6e47f02d1021658b36825e61cbd3fbc1e0fc2213f3c042904795bab827e9011633b9f38ff8963b3fa617c

Download Submit
memory/4136-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4136-910-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download