9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
Size

25KB
MD5

539f157ec1c1550ecd68a1c5763553f3
SHA1

75717a9c12a77d4667bde760d5df37794c012b42
SHA256

9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777
SHA512

eddff6ea8ee1567865adf47ee1ffa6361f44e7aed13c0a8518c80382f488e229698030112f5478a16afc916bafff2f1dbaac55bb72bd562d46c550a918fb4e85
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9qQ+5Ce:kBT37CPKKdJJ1EXBwzEXBwdcMcI9c

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4704-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00080000000234a5-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/4704-1077-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe

C:\Users\Admin\AppData\Local\Temp\9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe
"C:\Users\Admin\AppData\Local\Temp\9b4e1af656776ef32c46d154bd2a2717ecded96889b97279cd588a784c85c777.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
25KB

MD5
5ab303f767cae45dc59b891fd2e42fc6

SHA1
519b0af2685eb8d36da43cddc85326c95e85b034

SHA256
2b9a1483d2aa9f4ebbe092a9227d0f35543ad6b16aa493651cf95283e0bbfaee

SHA512
354f7a04b77dfaa3e9d9823a785654d13dc39934fb8f3a4c3c74370618be111d344bf7ab713f28cc5baedddce0a52c073125e403b9f33cd11924f17700570f86

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
124KB

MD5
089f40cdbe4bdf79ef2c97f9211904c2

SHA1
9cfff50fd3022755b05e26ebbc1323e47e91bb71

SHA256
534523fd80c33eaa5ec1bc95d1cafa565a1180b4d09ed7642feba337c11624b5

SHA512
c93d8c3c44c1ddea135f0cab0a12f7f4b2659c7586675688a9b7009ca90e0b9acbefb3a62d91a9468a4b7b9e3683232301cc130631f76bb35cddc298f61aec9e

Download Submit
memory/4704-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4704-1077-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download