9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795a

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
Size

104KB
MD5

c3249a430026887f6ff7ddbf40a664e0
SHA1

b806a4e8993531bd0d7b42f17e3bf907cc16a081
SHA256

9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795a
SHA512

03bfda5ddf070ef9f0f3619f7bc34ac06e3886d7bf8e7bad458b0205d6a8c9ccd150fcd7e2509b439d5edb89a7b73cfbaa632a5223fff388aa972762c7c9f6c1
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiFn4r7BTE:V7Zf/FAxTWoJJ7TTQoQcTW7JJ7TTQoQo

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4393) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1960-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234c5-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/1960-854-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe

C:\Users\Admin\AppData\Local\Temp\9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe
"C:\Users\Admin\AppData\Local\Temp\9f3292ed52c0353857f3a78fd1cd635895fab67176131015c1bfacbddc33795aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
104KB

MD5
bc1d4dd9611c9e8ffc08686f8db5011d

SHA1
f7168d9bf33fd7ce089b61e36802d97d3096642a

SHA256
2b5cb5c3e864b37ac84d1d90a1d5abccdc6ef41dbe178738d55999280d94fb6c

SHA512
0fd67c28e31205303c521a045d9ecb944b3b8135b52574994637883aa50656ff5401a6a4341f267abd0c0e2248f99ebeb05228b85a77b710abcdf989818dd3b7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
203KB

MD5
b1195b8d855c7fc6118178530b40cfb3

SHA1
c07f003629fd85db840db30920e5132c643e0003

SHA256
4fda170e33509f8c5d6fce27bc61c3c8919fa1c866168bade63710054c818868

SHA512
fce6d3b0789eb0d8476c8b3e21aeee10f1ad521b2590706fedd41bc7d998e0a0d0a59fb631f907aa38b2fd48ba8afd269688644f157459a640c1c7652704154a

Download Submit
memory/1960-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1960-854-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download