c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
Size

78KB
MD5

6f8a9a7a12527c9d33aee3a6bee72490
SHA1

c7d6ed27abe65d522df3e818b42983718826cca6
SHA256

c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917
SHA512

944fd7d39f02f358d9b2b83fee7e90bb7186192e456daf9e1f3bfc51e7da1ada9187b3e36514cb32e355d9d8f7c1f319212c92747a681b5cf9854cef3862f319
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxB:fnyiQSoc

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3032-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233b3-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/3032-874-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe

C:\Users\Admin\AppData\Local\Temp\c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe
"C:\Users\Admin\AppData\Local\Temp\c4df787e0bb840daa530b4484440ef08240029e0155fa8f638947c74494e1917N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
78KB

MD5
ca441620529363f05f9267326fcded55

SHA1
5149c5adef66d75709331d4284dde808e82e054b

SHA256
693fbb862ac2968a3f38ee6b16d81203127fd26bbe125fc8bf0339bdae04a455

SHA512
1c21ec57d9c650e78086bbf7a4f2bf51a54d887f08a4155889f44797ebb86d2797abc362fc4dea4da8d66e8ca7aa3d035579b7494890a07ddd61ec03306ba116

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
177KB

MD5
05233110f87f6b3203add2f7fe7f80ca

SHA1
b4e72d9bf046d55ed5989258a6a252abb6d6afb1

SHA256
c8bea48018f0022f3337c8aebb1166648a10d322ced6c330c6efc7c8ef6a8a65

SHA512
49ce00a031ea931d8d862a8ef08b42abc8826d7393405238dc594b8bf3ccbb308e5d3c3a2ff6c4ed8a6de865f85c69af34bbfef055073f15235da5c411c7f6e2

Download Submit
memory/3032-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3032-874-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download