d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344c

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
Size

120KB
MD5

7b640159e6249d4e1757f7bd8194eb80
SHA1

fd395d3fa8c6625fd6804ff4155614040c1375a4
SHA256

d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344c
SHA512

408d344f94616ed88e13199417bac462b0fa77137b2e5ca150ba3a314221b86e9ec7486238070e49646f0dfa5cf9dc4e7d036e4e15d3cbe5fa52d65d9e7c81c4
SSDEEP

1536:V7Zf/FAxTWtnMdyGdy4AnAJYq8YqnTWUnMdyGdy4AnAJYq8YqugZ:fnyGnpAekgnpAekdgZ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4369) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3108-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023462-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/3108-858-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe

C:\Users\Admin\AppData\Local\Temp\d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe
"C:\Users\Admin\AppData\Local\Temp\d70ccc6c8c0674f361999a46b3558c10e3b197deb5be749bb2040d62b43c344cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
120KB

MD5
a0236f1a83a224c5e2a2387064f538cf

SHA1
8bf8e05d48145977a3bc9a61f1e10caf2a471695

SHA256
b1005cc7f4cba4aaf781e5127a21db0a87229f775df18ea5bc694b2c6281c419

SHA512
79da9d761389a93b1aa91f18760a5e9843b673de250af9c693de06450a3e88daa0bff1779fde8ba86d76736c2c343283e2514e5e056205ed9483237bd98d2d6f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
219KB

MD5
b227f91444f30e2f7a09a2476a99e398

SHA1
9e5e557ffbbc1c9ce8141a47b8bf989a12d94855

SHA256
b68cd882e009a6ea999d61246e200d714ce2f44b17c80bcf8c108dc2068eb8b7

SHA512
065554b2449317d0420ee6012f442a2492c1c55717913a02dd7cfe006cac04262744b4030e24b30d077f74ba68fb675718d221dddfc08bb3e317547b47bf8018

Download Submit
memory/3108-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3108-858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download