122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
Size

32KB
MD5

51111aaf3514c52e79c909a1e9043100
SHA1

b0d46e9157b1c45b1f8e34c7d0d7fa10081faf4c
SHA256

122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659
SHA512

65ae414b9d035b2e9650e1dd8908c76c0372f6f9f29e3138885cb889bff049cf1d3d58ff23756d3bfa3752a8c999db3c374110007362774c8439a21d9b18a462
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeV:CTWb

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5277) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1888-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233f9-2.dat	upx
behavioral2/files/0x0004000000022933-6.dat	upx
behavioral2/memory/1888-1011-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe

C:\Users\Admin\AppData\Local\Temp\122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
"C:\Users\Admin\AppData\Local\Temp\122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
33KB

MD5
55f2bfa13cd34d36d43a6d13049b367e

SHA1
040505c711cae91b6ea0670a64d9bcc910f4a1dc

SHA256
22549bf9a4428dc0f4b58eba806487c4b2df70f58942b204cc938a48d5e24ecf

SHA512
2c060cff03c5cf1e07db949d9bf4906837ac5a7b5968e08fbd3da271325be58b0bc5379827f7a372f91cea4f2bc9e3cda0c4ac83ba600c653fd4f3baef72739a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
8e312136c788965e940a7859a5b028ef

SHA1
64232bac7c145ca44e3a8b9d2e6209785091c2aa

SHA256
8034075d955601fb12d30c76d4da5bb530ea84801644bde6de77ff78499e464e

SHA512
7dc4a158de4ccb9ce8e4d334394533601f6b75673e5c49f0bb589715edd0d40db12900f83cd0fc86f5c618c8a1c92b0fe2f4b3c9320452785e9b6542258eca66

Download Submit
memory/1888-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1888-1011-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download