eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
Size

84KB
MD5

7ca1081cac4702d6da26b25163ed722f
SHA1

4ed8f91ee5f60feaaba21a649a81316e2745637b
SHA256

eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114
SHA512

d81f53bddb8b498c860e6d071c8e44284652db4454cc04ad59aeee25631ce19bfbc79fcfe70d4197236f2636ce4b171bc8ad2194d73adb257154231ae8660007
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9tBT37CPKKdJJ1EXBwzEm:V7Zf/FAxTWoJJ7TRTW7JJ7TDS6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5109) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2780-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000234b2-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/2780-902-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe

C:\Users\Admin\AppData\Local\Temp\eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe
"C:\Users\Admin\AppData\Local\Temp\eb86308d8318490f1a2195a8f06b926bd269ea9122feacd22d91370ae6b55114.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
85KB

MD5
8619eb348138851eb7a0e0a13a09f074

SHA1
055d406f668b8a4b709bc4ed6f243cbb92e1f665

SHA256
90cdf40ceae95a86bf70e33e4f664ddbb098cb912fb3e8397eef35b0fc4e04b5

SHA512
588b83b1bb28aa21a8f85a026310e6a734eb1c9e319a900a36e3f15713574d5d1db9803de1e8406050bbeddccc0c1455f540cda934bff405606c85290b5ed904

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
10ce08978d5d9c97d51cfc44cbcad1d4

SHA1
09187ebef314631d183f5e43b7acfbbb3652d017

SHA256
2b9f74cfdd879d7d7dfc51d3339fed82c033c45e377d32a8eef2054c7c000230

SHA512
65cc55d14d9382fd86a3377a5398d75e0dfc1014bb9060cfcd3561449e163ef0f60542aa8f8805b300133afa0f4e86aa1e6c1434582ac4ea15cd9200aa7aaeb0

Download Submit
memory/2780-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2780-902-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download