c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
Size

57KB
MD5

fa5270dffc768f6528854b1c668a6580
SHA1

c72c1022d1d0d01275f22f16cd344f14017cda81
SHA256

c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1
SHA512

35b683d91d95d55e0960f275afde650280f8c94d045605d536e988fa9a60bb7dc80809d59a1ad437d70fcc116a6f71954fce27fb59cd09d78d49319604fb2c7a
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIZ:CTWn1++PJHJXA/OsIZfzc3/Q8IZTyp6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4572) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4164-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000235c1-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/4164-852-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe

C:\Users\Admin\AppData\Local\Temp\c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe
"C:\Users\Admin\AppData\Local\Temp\c2fc76b38e4165f94a59b8d3489b063008127f569cfb3cb6bc629749a60dd6f1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
57KB

MD5
7acf28c75dc24fde807bdfbfc0c60cb2

SHA1
1a0b7bcf442d8a802ee317d232a3fbc74a784ef6

SHA256
c2ec344661b058e605b4d3bb268a023573f168d490e2adce12daacdd8c89319c

SHA512
ba4c9c1362c91c9266a2f03c3f940b7f25b147be4fd281a6dde596f9c917b4d056ef794e32e3d5e1a818a047c9223f92bc2db60fa65583bae2ac2dd66070ad60

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
170KB

MD5
a1d2b2059641e4f54fc8074931234d11

SHA1
c41ad01dc2fe5315d7fe460e0f3ea0a3a3fae639

SHA256
8a0876860231d40f264d55f7024f235ad78bebdad6dc4be27b6b952b40edd8d9

SHA512
9a29704df1ea46b212966b938f589288d4b46a62c1694adb88a95e2bc48966e994ac854dd69b2d6066739a9b0f424e1d2c7325ae2f4d503aefa74133039126cb

Download Submit
memory/4164-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4164-852-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download