61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
Size

90KB
MD5

835950fdd47d67a8c47d7f4894f15493
SHA1

08e3034912a8a62e894eae0ff6b9bfcd155557ee
SHA256

61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87
SHA512

8a4ef969be1bfb5387678859f14ad2d14e11d35b0b50eb4e38acf4469e50397af3a9593a6d30c418425f488c03b25681b2d5981eff55ff8e6dba349311c88cf0
SSDEEP

1536:a7ZyqaFAlsr1++PJHJXFAIuZAIuXsJtLJtL:enaym3AIuZAIuXY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2988-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233fa-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/2988-862-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe

C:\Users\Admin\AppData\Local\Temp\61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe
"C:\Users\Admin\AppData\Local\Temp\61d85f958abe502b033355b9d16e941adc2dddbfbe5591a199c163414134bb87.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
90KB

MD5
3bd7c05c0dc245e8ad818d2d90ebdb38

SHA1
bcc426ae0c0dd4fa4d2da2b26055c935d5ce0873

SHA256
eea9b1c1314c905a993f5293ceafebf736d7683d35861694f22bc27cb5a1b185

SHA512
bdd419eb555563f67edc1059b6fbb54c1b4126e899ad98d2946d6a6dd8b40c4046257dab5e651cc47cafbfecce81a9c886e5b67688081000aaa94d5b5a790ee5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
c82aeaf6f89ea19fc952f27da7a1e752

SHA1
2a50b390f2d18a01f5cce4b2727c65c3e6469115

SHA256
6a5bdf05ddae51f8811de90b8e910f3213c42e996967e7b23fc64e6c7cc109fe

SHA512
b4f6231d124ad00d97db3248242764656887328574b937085537ca6e64a7b55a2bac3931076ee7acdb42abf8dfe36f01196bb7e67660569b53f7b10a3ec2f5c9

Download Submit
memory/2988-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2988-862-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download