f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
Size

41KB
MD5

20d49eb6d359108f567e0bed3a0b1a70
SHA1

4f3d3744b1bca7e78639b2a49a52dfbeafe337a4
SHA256

f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a
SHA512

451e6cd50f0e3b19cf5a0bacbc258f83611d4d691f57aae344064d756003a736fbbc7c17e26b901183133a29c793039f0b1f37a2eecf3cc7f1ce5d6c641d179f
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeIiKxy:CTWJGpG8nIx

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/316-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002333c-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/316-864-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe

C:\Users\Admin\AppData\Local\Temp\f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe
"C:\Users\Admin\AppData\Local\Temp\f3b3bf364dd68899bc5ead5dfd2c211d347d129c0eb1f806f14ddf17aa38718a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
42KB

MD5
1900e01f6a9661a8518d03af17696efe

SHA1
fd52a2e1a6f55ca2090adbe0ddc28fe207b55fa6

SHA256
8365be0a73839f906fe8a0f7c98720c9404b2174b5e31211f2c92b2dcbb451ae

SHA512
c0450f000a1f6ca836254b25215eed2e67be69ea653f931f091500c09b7e8ccc49a77234d4fc1f78b06795010a22f02f026fe6b818702902217e588bb540543b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
20f6b828419d3aefa328757ce5047e79

SHA1
09ffdfecdc765c5f7b64f845df75dc546d71c633

SHA256
a3734cab381163bc2d0a13ae96c68fc9da9171dcf419a462b591fc4d576f4b9d

SHA512
cdac441fae4ee2dce3989927eb5ad56c0bde4baafc4fa094517f3dd4ca61d6fa1facddae2e95e51f6eac57134c4cdc304b79f07ea3810c9de0ae428f7598361c

Download Submit
memory/316-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/316-864-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download