a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
Size

103KB
MD5

dd14d1d89d2a55849981d8d8feab39d0
SHA1

870d89b0f2f735494a5f0b671dccdca01cfb247e
SHA256

a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470
SHA512

c6a7984424e5de198d711672aae86b24ed609dfde96025e3c9b68dc2dc416423d9a7ecc4551b1731dd3c588b314a036f89b655d34a0a7e3bd28d4271387b652b
SSDEEP

1536:V7Zf/FAxTWoJJ7T8VseGZvH6Ng6kxyQbs5Otr2DVdZOwo:fny14VszZvH6Ng625/SpdZOt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5017) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a0000000228c9-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/4752-858-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe

C:\Users\Admin\AppData\Local\Temp\a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe
"C:\Users\Admin\AppData\Local\Temp\a93bb67070d577472f2bf294b212021062199694844c48aca4a95b8e6cd4e470N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
103KB

MD5
86ac2e9d913f17178aa7ea38356287d4

SHA1
8f3e662e707e8ef21b479abf55f3a626aa3f95bf

SHA256
e51eec13c34d967810263eee07105591e52734fbb375352ea7befb8812818149

SHA512
611fbb1271e4c8e43bd0baf4bb5ada437adeddc9f365d515eec82fd7fd68f75613fab71fdac0679fdb51621dced476dffdebc296e72efc97ddacfc1a891a8d4d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
202KB

MD5
f1445540963c79e085ccaef2f2e0aa44

SHA1
c9cb829d5f937fdb2936bf8de1e4fc44a4f307c4

SHA256
6d76c8d1b046f0a50a0b265ff084ccec663754bc0599cfcf027ec21597010b06

SHA512
9427d4ce5c367b33e1adaf81878702a1d14425ddc46afd96145e70659199dff16c67343620893ab7974f9c51ec7582942801d42cf190946f1476b54d08e2456c

Download Submit
memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4752-858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download