ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
Size

69KB
MD5

7c079312921ae5f192f29044c74acbb0
SHA1

c880fdf157fd811b16ff8f6fabdeea3fc1567d7a
SHA256

ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1
SHA512

1678c40367dcb3534f98142559996a3f0c6bc4b469d2abccb44906ee1945203968889409cb2438187271d45e363620a6a2bd4960a9fc740db71cd11a06328eee
SSDEEP

1536:V7Zf/FAxTWoJJZENTNyl2Sm0mKRgZg0C44enYE/FXHFJV+C44enYE/FXHFJV6:fny1tE42ERgZgM

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4532) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023616-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/3508-860-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe

C:\Users\Admin\AppData\Local\Temp\ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe
"C:\Users\Admin\AppData\Local\Temp\ad87063fcff289d9ace99453ab67c42005183e7ab1341ab615c2eaf9dcc587e1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4012,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
69KB

MD5
413989ba0e92671ab593748358087d71

SHA1
006af7b9ffb90e7ed0f9b69d3de5db0e4fdc05d2

SHA256
4fa1e218006e6f80284a30698eac7073f529e22980ef0d5c21e77a1ec932fd9a

SHA512
7b4beaf598169108d821bb0b78f302bc18a1a216834e12573405daa88135bb4c5d7f49516fae3788ddddc64814c99698d7f65b5c9038a8f1be44b850fceb42b4

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
181KB

MD5
119659bf511e0d8eec4375eb5f4eef90

SHA1
94576ef13befe2ddef9a4660bced156bc70d0f42

SHA256
fd08953024d55f3a6f5dce4cfe1d78ef88a4b7f55d19e30b449d6fdc6fe544d4

SHA512
6c2177249d8c66e5dfa652bc01a591d224c0491d8a579968d682a96751c7cc73a5c8c4b38c9b7450c9052e8fa4dd95dd2257a491e0e9e783c5c366b276a6bb64

Download Submit
memory/3508-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3508-860-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download