3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 20:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
Size

36KB
MD5

d465741fdd1c00c9de0f593847df5803
SHA1

e10d6f4a0a3561f7dbed688a2199e0552bfeab32
SHA256

3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01
SHA512

2a47ad01c7af6fabe67db8d361eaf6499d1a6efa72f5313c6775ab974039dc1cb330dc8c2c00c102eb42ac5d5f80ba7f4250209441d4eaf678afb4bdcfc4afc8
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBApwp133EskmKsN33EskmKsKbP8/8g:CTW7JJZENTBAOIfmKJfmKs

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/544-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023482-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/544-916-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@4x.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe

C:\Users\Admin\AppData\Local\Temp\3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
"C:\Users\Admin\AppData\Local\Temp\3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:544

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

210 B
133 B
3
1

DNS Request

75.117.19.2.in-addr.arpa

DNS Request

75.117.19.2.in-addr.arpa

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
37KB

MD5
cacb3263a5e4e0a4f777d6316244df6c

SHA1
09f113e99e7546df268ff2a6a999c5ed9c4c6904

SHA256
788ad34239ba4ce91c0a44e24a02853f2c4737097d7c16f12619f356eac22af3

SHA512
52994a353f0d8d37b1d803a6d9cba71b323859fa63a444fecb086d07d69f7f3e36dd077d8f020b0a936cd142081e1f291e63a42512882b3149c5441bee33c055

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
1afb38b951518dcf7b9691bdf86cfbc7

SHA1
2e3e5f65c1028168f7f21634ee4390205be93eb3

SHA256
b9662e4233ebd153f91a0084a8a39a3b8305254169569465af667d92c5d5b818

SHA512
708b06a7a338c83a1ad96faf9a558170c57c05d86547be34db36573fac54ea537ae6b30c6e4158951c45fc9fcfaeb985567995c635008ba739490eb45a937c7d

Download Submit
memory/544-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/544-916-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.