2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378bad

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
Size

54KB
MD5

0cde5eacdcb99cc14eb874a9d34cd470
SHA1

564a8fbf70418bac1c4d49e37ea2e5678802ff65
SHA256

2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378bad
SHA512

8a29691de382685e7f5dfd16fe7ca136bb17347f3d244c13b27ea1100df840d5a3d9b8ae8e8f94a9e9336817825f8264392840f91dcca06601e6e704c6adf1a3
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJTU3U2lRtJfOsRL:V7Zf/FAxTWoJJTU3UytJfOsRL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4645) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2152-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023452-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/2152-928-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe

C:\Users\Admin\AppData\Local\Temp\2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe
"C:\Users\Admin\AppData\Local\Temp\2d764f3aea29952e3247264670489e564500d0dd33a70f86bbb5dd5c80378badN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
54KB

MD5
5de2d128e9cb1a322734d0bbe1b3a3c0

SHA1
72daecc178646d02c3a23d7775d2cb737d220fad

SHA256
2827e54b51023cce8d6d74564e895d2c7c92f150d243b3218a00f1408e431144

SHA512
afd793e7aa2e22522ec33105175973caa5097dbe9deadc7adb32a882a881aab97b03cbca13a45c6df3ee67e56de5aba42a413617974a6d5a6eb4b0e56029504f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
07eb61dc46c5e4e9881e1f15c180a7de

SHA1
190fa39ff18305970d0d126629663868bf143495

SHA256
7f7de50b9e1642365eebffbf9b7bf97573184c3e018fe0c4a9e0b57a666766ad

SHA512
475329f9b691d3990b0a18f2977f1f4311cd0281ed407b7bb1de9ef8fde6a46ed5f559f4119c4425b37444e056aa3ce3accf9cf8228bb49bfd1c2dd331f41e92

Download Submit
memory/2152-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2152-928-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download