a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67ea

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
Size

715KB
MD5

9ec099628b39f767cd928071583764e0
SHA1

9fbfbdef4a3adfe6d7847e5cc764368292e5b8ad
SHA256

a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67ea
SHA512

8901e59eeed87e35a17bb4d40b0507849fb309dcf56fe20fa64adbd0580254861c750f44b3f77fa6856614b12205459838c37175e50c14a845ba9ab3bef75dee
SSDEEP

3072:fny1oRhw5FuOS54ZxUKJx8gcs+vVmE8XAFRo4SAeyC2CSq2CCuSCSaG+eC2BYqez:KWR8TUjXTRBhSycuwLMqWtY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2776) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4932-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023449-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/4932-428-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\EditCopy.001.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe

C:\Users\Admin\AppData\Local\Temp\a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe
"C:\Users\Admin\AppData\Local\Temp\a06d27d9a98011d56799e7ddac009f2aa594ebb526ec9e353b3cf386a3bd67eaN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
715KB

MD5
1d3697017894e3ce9df19034d95e8e10

SHA1
757d0509387cc63373703e9ff413fda48c872a38

SHA256
718de1329455258d60c6a8fb681d2060e2d79a6cc7d97295f1932cbc85167f02

SHA512
037c6f498a808caa4467e8eb218d75679e7cdd3eee1ec9a67a2dc745ae3467e99acf85b221f71cd1c712a6f6c2db2597080c8196aa312c749935c9a9f617cf5a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
814KB

MD5
bced28acdeaca55695ec9a8e08358269

SHA1
3a3378180ee259cc69e91c79151a68f136ab80c0

SHA256
c3f40dbe3b0a474ddbd354dd930aa2e27becd7569d907669f275d5f36767e44a

SHA512
cda935a95d4c3997cf92d90f0565ab393dea5ef8439eef55b13aa0b1cc8dbd4e70535796dc6877d7db5c78d8f0b5f4b78da23db1f8ebc2572458b5e7249de4fa

Download Submit
memory/4932-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4932-428-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download