7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 09:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
Size

36KB
MD5

d2a6439579970f88922770db7c6b1420
SHA1

8c274a34b2de8479100323fe2bd21f428bef51e7
SHA256

7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850
SHA512

4b01573cbf3ce01e27d205e73122873f526585df9b880a1504ec5f3f21c5f74f876240e84df9914fd8ff1a37d7ed9060b73daddb7a681a5f69942b24f4a9f8a8
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeUAmQ:CTWLmQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/704-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023487-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/704-963-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe

C:\Users\Admin\AppData\Local\Temp\7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe
"C:\Users\Admin\AppData\Local\Temp\7c753e72d974035d2a3b9d112bedc38f3764253f6b250ec16bc94f02ac808850N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
36KB

MD5
e9ec27ef7f3efa28b8769e9e86cbb074

SHA1
3586b0663128c43a29c6d3ce044145049fc0eb74

SHA256
8f63829a1f8fa3fc438ac6bcd464d66c00bb204095ce7173eb32ad33e91de68d

SHA512
69c4117d1309e7d62b9b37a3978af3d6741b0595ad02417232cc1aeaac9f7fccb61f68708f4e7f4da32009c09539a13506c8d2012d0636aee835ca536a0e5c61

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
fbdb804b9fb17aee23c74fb735d63c47

SHA1
edc30dd36f251a7dda57a0ab2c00e7c831d5bf25

SHA256
49a7ded6f90fa9a82e4344675791b230c2a62c098d246e3c597f32439b6cfd66

SHA512
d6cd196e5c4811e50443c52cd5a082507eb905a60fad503bd4097f203e5edd25ae5a5014c565ca72724c22f0e8d94fdb72b2da673483a9c311a62c166c72200b

Download Submit
memory/704-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/704-963-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download