0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
Size

47KB
MD5

fd6581873a05f1b920b12d260d8cccf0
SHA1

5f0bd293a12d7ea0855852ddb10f2ba28014720b
SHA256

0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577
SHA512

eb3fdbdca917593c97c58738692522b1504afdd25e05a0563987f49981d7d0d6f5f0ec56d3d71891308169fb66adf432e67c49142fc3d16c6ae33b335c2f7b56
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9r:V7Zf/FAxTWoJJ7Tx

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002341e-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/2012-1012-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe

C:\Users\Admin\AppData\Local\Temp\0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe
"C:\Users\Admin\AppData\Local\Temp\0e3bba75188300f09427c396d1ccea5ba0db4fc261d4d5565f8d214a761bb577N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
48KB

MD5
c123c75e2f8685f09592fa715f0330ef

SHA1
05b0fcad3f22e2d592477679ba5d30ba080b2f56

SHA256
3957c98315b4c7ef18df68ff57a632758847591d3faeeec1dc6789771f015ca4

SHA512
413988224394af053092c6ea2df64f90791a5d3be36da4ac62d5c3d8074961f4c852ee7aa3dbd66654f4e35bd520f6955f5f7dd21c37ee328173b952248769b4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
f473aa28cb15ab5cd01bbf1076c1c1eb

SHA1
55a661d62a7880950aca4ea3b52a48b7f4bb664e

SHA256
ede1782fd3d1bbd82a4694ec0a7e06967f81b7065ebd57a74cba0317cf0c90ed

SHA512
f3a105d54e416f322f54af65252f8763774074d5894a6a8e2e32ea0719e9d58dbe505c083b1335757c212f3d41ecea059731eefc423c7436436f32226cebcd91

Download Submit
memory/2012-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2012-1012-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download