5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9

Analysis

max time kernel
119s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
Size

65KB
MD5

29531e364e8ccab5340875ed2c4a7360
SHA1

76451b14583e058d4f69208e1619756a45bd9e37
SHA256

5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9
SHA512

4fbaa2b7c49060eca00e2df3224f01ede9a6fd3771e4ee64b1da94f9b6129d18b47aa43a5fe266134f285feb2aeb0b1e94b13a2be8bb7801506657b182626163
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzz:CTWn1++PJHJXA/OsIZfzc3/Q8zxY5RWP

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1176-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023456-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/1176-906-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe

C:\Users\Admin\AppData\Local\Temp\5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe
"C:\Users\Admin\AppData\Local\Temp\5f45e90c7b9397aaf8ce0e2bb8439c7f01d0e7d3c469508f181ba3a0fb53d0e9N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
65KB

MD5
4423c33f670a73d902e431931d815bbc

SHA1
0b8d0e715728984e0cde49c3135874757e38ecfa

SHA256
8a32592371b95d93b107a7984e9d0f105289b07ea53d5ce0b8ed6f4cf8d6cba2

SHA512
c2d81d467297fdeb620fb19f665c19d51a6b58f83a0fc0b7bb9b313dd4058ccd3b299ac6b1a65a50fe0b29af4e70d704283bbc4a36dbf0b672e9823416c2daa5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
6590b1121f12e05d1b24bcbd55e3b2bf

SHA1
2f928dd7217b5b8adb35c0ca4e27a12f09f07172

SHA256
a452f321ffa5cfd0383fcec7eac28b722e9f0d043557ae968c2062d679c548f0

SHA512
18af6bcc040058f34692f2079f3c95aebb90ff232927f9adf5136ecabff127e00cf74da37dcdd9d278b538e8ab3a21c9bbe653f001665e5a1423be21afc160fc

Download Submit
memory/1176-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1176-906-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download