142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
Size

47KB
MD5

9d644d202ba55bcba23720bf0e613b00
SHA1

ea836919a81d673c15c8d55137e840c176b79e6c
SHA256

142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73
SHA512

f33d44e35af6cdf833eeebedfdb6f8e431a511dd1f32dfc013642977a504a4aedfb74173e8268c47caaae82ce9b8b9ed089909b5a990bee613348c8022cbf2e3
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcuvoE2OiJfoE2OiJo:CTWkySSh9j+9jpGnrBCBMxixa

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0003000000022ac8-2.dat	upx
behavioral2/files/0x0004000000022941-6.dat	upx
behavioral2/memory/3176-786-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe

C:\Users\Admin\AppData\Local\Temp\142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe
"C:\Users\Admin\AppData\Local\Temp\142f66762c03aa015c2220afde1f4c85fd50def276f900b28630a0a3cd307a73N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
47KB

MD5
e9488831466d6e334072b2cf48e201e9

SHA1
2352cb736093831dd00b1848716c04935c31bf5b

SHA256
ac21694164f611a78d228892362846d88fea58d5586ac63884daeeca4150c3f9

SHA512
2c32053c549694db7b25a2fe0867e3078ffa68c0d5bd260f4aa7827d02adcc3bec709052e0baf05784acd9be50e4608c826606da8517c6d2c3c734a852bd3a29

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
d9a14dab80bd86709ddaf33e9db65e0f

SHA1
fc1dce2b9c224a00d97b49637603ca5f1a6b728c

SHA256
2e2f865151bbd53711e5a4172d4fc3c5a27fb4ac80dd94a4a2c2a3970c382229

SHA512
85ab313b1fd33aa5b47603bf9088d67d50d8093820ec85e0ea146ee7d4591db8b128b65aa0c8f658b7472b4ccb89622c98280652337fcc878ec552247177b56d

Download Submit
memory/3176-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3176-786-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download