f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
Size

1.1MB
MD5

bd0dde1efb674791be13ea27154ddff0
SHA1

aac6069df2462a7e95eb9a45227e4fe69b219a1d
SHA256

f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5
SHA512

f99052428ad87ee5c6f28a819e6b235e376032bd8bd0f0a4a6f9b2d6b1fa17333f706dc417fdb195e8a93d48d499960d68c9dfd5916203bf7511104cf799db1f
SSDEEP

6144:KE2Ni/HiiHiiziiobiio4zaqzamzaIzanCme5CmejCmeZCmeR:ViiHiizii+iioFe5FejFeZFeR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1751) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023447-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/4628-378-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe

C:\Users\Admin\AppData\Local\Temp\f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe
"C:\Users\Admin\AppData\Local\Temp\f6ad2c4e66965c804af0466678c26d38408394a19a0f249d97ab776c7c9adad5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
1.1MB

MD5
0f675bf25432a5c8f590a4666c3b9eeb

SHA1
7721595789cf43228c243ca7b61bde3093a4ee25

SHA256
18093e984974887b2b231bc40c32fd3b81708de11c9c1663eed9419aaf65c5a4

SHA512
37aee567292c0f4e8fd06a107b906c5d33212d805e266bd1bf80cd5aa62ece31da211b56040569cb0d4bab39ac6bcab85d2182531781697461d4495a2f6ce4be

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
1.2MB

MD5
e4583e52f2800fb92fabe17868d042fc

SHA1
f3ce2df99acd8d5249ca228ae1530f464c40eb01

SHA256
b89946130fa3e4d1564555639a16cfe666741c1f50b42a5d8a2958064b4c045f

SHA512
e77b55a322134eeedf285817de86dd17d064e9996ce464acf393485feddce53612fa9eea2afd311d4a68fe0e5aa1ecc1b64e1f02d0598df537b22303275a1a7c

Download Submit
memory/4628-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4628-378-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download