0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
Size

54KB
MD5

9ca7aa1cd3879d4b87fb52ecffec0b71
SHA1

fd6b5347d977a1597f144275fd2b6c72d6df78d4
SHA256

0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15
SHA512

c5a52fefd43df0f8228e7673a00cacfc124bd5c4658801618dfe21eb3c011464999ce29ac799493799716fed5a3830a5058fde50f9119d4770fba6a7b77458b0
SSDEEP

1536:V7Zf/FAxTWoJJ7TfUWWUbUgUgUhUWUbUgUgUhUWrCgmD:fny1jUWWgLLUhUWgLLUhUWRm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002347e-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/2040-1012-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\DenyStop.html.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe

C:\Users\Admin\AppData\Local\Temp\0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe
"C:\Users\Admin\AppData\Local\Temp\0b8cda682b56ac2b0f9366ce4fd24129baa90a49568652d6871a3283d60dbf15.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
55KB

MD5
a165cfb07ca000b719d68893cb7934a9

SHA1
ed923c8591d131c62c048c702a63607509e49baf

SHA256
08574d1f3af7f45052baeed8e12c09e9f4373064895ef70306735500f1d08aa5

SHA512
1d52cb8e2ad3a714b8c0ffa6cbcd36f8eb85cecb3f54c2ed9f5f78c6de800a808acf92de5c6a1bbe51afa706bfd6e7c0d1033defcc373688d877a30c98d8aeac

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
f7bc362c8af64778ef8a3594a7d48539

SHA1
0275b48d889274b90abb6a9a751f55f71b454a5a

SHA256
7d3109ab44c5b867e8cda31b617c97d1d83846aab9dc35a7589c8af6d8e577f3

SHA512
b5f94046425e9523d2c8acf72ae6c4da0b058ec55e7974d5698ee6164c952ad43db4e5eaa2f82a0ea1b60bf9c2242b348dfa6a4856641cd0637af888f3506823

Download Submit
memory/2040-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2040-1012-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download