d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cde

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
Size

34KB
MD5

6e7e5e2f1908b3c53c06eaba7e3345a0
SHA1

41de009093bfba8d3be272a13c2ec4d51f7c4387
SHA256

d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cde
SHA512

5b311f194995642fd6052106c0848a4eecd62fb83d0f28f08ce0e13780f2b69a1b1191133dea542de528e59b0b12cbd35c5f630fb202a059e7ff5e92612ff0b1
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9K4PCs2B24PCs2BKjg:CTW7JJ7T04PN54PNG

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4671) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023474-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/3944-930-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe

C:\Users\Admin\AppData\Local\Temp\d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe
"C:\Users\Admin\AppData\Local\Temp\d69563da05225a9a3528040caa76cafad44eb5474a24974c4b09f6e8a4475cdeN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
34KB

MD5
091105e48edb59817c920ba4ad8d805f

SHA1
b7b7847e7b944bbe36eb85d331ad0d824f354f3f

SHA256
6e0c40f551e15a87ce1f51f95e64f2ea2eeb2d6f8c15ebeed02eb36cec0c02ab

SHA512
c2d1c2101fc0c6a627dbdea0b153c726a1d1b50d148e7d67bcb164b9d71273043b28ee66f4d65606feac2792996ffe94093c2a4997a1c0308ed3fffb705e2ef3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
1e92f48a49226e8be3861f85e7974e2a

SHA1
ee589e36785e3fa466743925dbc2e7b746603f1a

SHA256
8b4ab83ecd21fb56ed56ab443ad8aff39723d7a09b3590ac8aefd4dea6a81384

SHA512
f6c297718513b6f72af117c7c79b08a66c3cf327d5e59bcc478b863f37ac6e0283de392f04d5f96e075d5adc2ef55c3a8a946b4efaa7119e58a3f25a5feadf9a

Download Submit
memory/3944-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3944-930-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download