a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acb

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
Size

57KB
MD5

51a7d811d8920e8317492182183aeb50
SHA1

234b9ec086f982dff76843b4659aac267488ddba
SHA256

a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acb
SHA512

4533e973a8954bca703ef084933a833cee5913ddbec80dd1826b2f2db555a19307bd356a1677d43ace12708f889b6737e9951ca9b170b61aff4f4daa372de3fa
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8+g9VyjVyB:KQSoC

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000a000000023473-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/2736-930-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe

C:\Users\Admin\AppData\Local\Temp\a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe
"C:\Users\Admin\AppData\Local\Temp\a205ddd892355b9bdd282b91a37110943c53d2be24d9fcf36ff363e3878e9acbN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
57KB

MD5
eaa333f6d5e03646476a99025ce05cd5

SHA1
ff724376d6fbf5c681119ea7f33eb59a2d5efcd6

SHA256
569c5cc2c1ae3131449806401f53a129e11dd37267ec8169cb3b26ca6bb53d8b

SHA512
c5fd13ed6e19a6f6663da8cc9f2f465152fc90d3b83c3f99b1a31dc9726da46ddb77dde729d1747bf5b2783b7d642fb41df3656e7b7e2d10bcbeec71dfdd5997

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
16bf514486b26563a10d608149b1f818

SHA1
6dd5faa34cfb37384589b11f7214cf488e7ea2f5

SHA256
b376a043de5bd08bb88354f4edf937da7dfb0177ee22eb78d151844bfe3292d2

SHA512
78d4d6a58a9559d07c8a36f6550ed1d98deb7101601731e7a762855ce2aeb5eb4e8177f4c2fd986e4dc6afeae3fb4e081d939107ebf3abc8dccf5dca6c56129d

Download Submit
memory/2736-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2736-930-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download