a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
Size

41KB
MD5

a0070aecc1a988cfe8617f4c9d6e4090
SHA1

1457fdc12c9f562a03c3ee2be572e3638fef1da6
SHA256

a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0
SHA512

7175b4df53dd67f214fd16a9cd3add83291d925f193fd54f4afd83ddf7ed7efc4d2df656a09f323458589418a67b52c980264daf77999be9a2d07a4b6eff492a
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcuvoE2OiJfoE2OiJ1:CTWkySSh9j+9jpGn4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4692) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1032-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002346d-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/1032-1038-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe

C:\Users\Admin\AppData\Local\Temp\a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe
"C:\Users\Admin\AppData\Local\Temp\a8f58291a709b834a154ab5c53d072b7845f094c18d3d318653d9ab9b2b5adb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
41KB

MD5
f7f71f7426a53e114dfb7c50b39e54de

SHA1
c8acd3872a5d64648ed695fb809a38ea47a681b1

SHA256
414a88503137a79520cfcacaf6f202141e4e89919a8b163660a7b03b56d6bdd3

SHA512
6c943a6b55a8db4d4bbbe976b2887e8ac1adbb52c2fdbf6689460d74d525131bfdf71efdf68330b4e2eee75c738e211e5bbb71d7101e5d4cf6b2e8549739c41a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
390f959bc22b53c7e6d166b12fd6f086

SHA1
e7e63a731149ef6771fc23eeeff3a3fd5812835e

SHA256
e3c3473c26f3a6a31013276903eafc6a968baba1db1617be39f859876aba8aa3

SHA512
084ea7f6d630e9f0d532857dd6139f5c63fe956d01076bd59613b7ec16810d27b1245c6de50c9950b56afe6d0658aa8e62fd825dc5c680ea0191359a452c689b

Download Submit
memory/1032-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1032-1038-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download