f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
Size

52KB
MD5

578e9513c4234360de538d2f9567cf70
SHA1

c9214d058aad6f0b56e43cb755e1da80f97a9d36
SHA256

f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48
SHA512

0001a6d08ec3cf158c888066167f86baf03034a8fb1c8dd7a974cfa9c885b3bc8435c6453f32f11bb70e5e4bd7d80637c8a1366f73e394394710bab5de315b90
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9hnw:V7Zf/FAxTWoJJ7Ts

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3288-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233d9-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/3288-870-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe

C:\Users\Admin\AppData\Local\Temp\f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe
"C:\Users\Admin\AppData\Local\Temp\f031e8dab3f22c0f13d03b15c312134a223af5029dec4c6ff8befdc37a374b48N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
52KB

MD5
04a1dbea68e028504e27bcc72c3b1714

SHA1
7d9a143bfb89823ab90e13b3c63b243b5cd4e960

SHA256
a16920266cc9479df9918d27cdf40d49bc84233c098e33e20479fc2de9fec67f

SHA512
a8b78f6939f6b718e8d9111382fb10cb7626335eb019f0b01296502644ba1953222015de5b876aff1bc4a5704f22f7ba0793e1d2e19bf189dfd11b4192a75ed5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
76379c52fc786c33cc61a002cddc6118

SHA1
4fe7ca61d6ee2568f6f5d3fd3b3544802f396aca

SHA256
39e46fe9112010d4b2ad326454ae6e631c22da773cad7e6795d418f9fce7d7b4

SHA512
b5ea3fbc0e9f614cee7d63d3bf5c0764071b14bc621a4e0ef32219ad4405370944ff17f553db1bc6c1e88993c841373c64c1ed0d12a4984a43ec34dd6d35708a

Download Submit
memory/3288-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3288-870-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download