f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
Size

59KB
MD5

bf098a87c3fcf5c1ca73663bdf797fe0
SHA1

9305ef006da8145896b563cbbff665575d4fddbb
SHA256

f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66
SHA512

79615fed4da1f501cbb1256b5bfcc149ee5eaae10dc6acb15fc12f0e2c6f824cf22c6d4b2106c20b6fe89bcda8f1517a25e10d9413c5aeb4d2d5d1e03d351fc8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJl:V7Zf/FAxTWoJJZENTNyoKIKMX

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2804-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233c7-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/2804-918-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe

C:\Users\Admin\AppData\Local\Temp\f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe
"C:\Users\Admin\AppData\Local\Temp\f0b78f9d48d28917f633781f4c464c6e3fa671981fd0376d5f1cba3e17b6ce66N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
59KB

MD5
6165526c12e2835f21247329a71ebd07

SHA1
ea5b9016bc98a3ba579a15758b5ecaa4a5d40add

SHA256
699512f6e16b2e7cf4aa3b774725b84263918a42a85ece843adfb53b973bf78f

SHA512
19d4f56c54213b52d20519eb914533438a85c411f645df8952888558315f91407008c121a871320b37c7d1ba52385eee6e080496f95167fcaea4d01c271d79f1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
b705262246c1f96738e15d88bccff1dc

SHA1
b205cad5880716db43c485de08c13776534842d2

SHA256
1919b8213cb3f7e520d8157cefb5ac9b2b5c86bf24c132f28600e7d69cf3edce

SHA512
21a40ab71c2f37e9efadb06e53b3f8f747e7038770a028c3de0680e0c9ab470dd1ab01d22d87dd8cf9030b520b6b31422a6e889e48547d13bcadee58f3946cd8

Download Submit
memory/2804-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2804-918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download