ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
Size

62KB
MD5

e28bef516c6498810889591db6a57180
SHA1

61dd9095d69051b646ed48d642704d619a13f388
SHA256

ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613
SHA512

167c37e729c1028556de3f0426ffe92e2339050e9fc8fd4c40dedadde85038a11c821016af8928c7c9a6d4a55584ade6fb7b160a0bfaa5a6d01a31df75dece9c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Hx3R9pi1xOR9pi1xDKqA:V7Zf/FAxTWoJJ7Th9ko9kPlA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023428-2.dat	upx
behavioral2/files/0x00040000000228f4-6.dat	upx
behavioral2/memory/3024-908-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe

C:\Users\Admin\AppData\Local\Temp\ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe
"C:\Users\Admin\AppData\Local\Temp\ed1ef96d8a168b37b34e34e72b2ae9a68de6aaf3449e3fb12fd70c14b6da3613N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
62KB

MD5
10fc4a0264691a5f43e66355066ac6d1

SHA1
210a5a2f3fe5d8ade700a12ae7dde761310a8ae6

SHA256
91f1cfeed8ed008783f57cf00c6dac6ef526e7f84f3df79c69e0cb6b0c5a5248

SHA512
909b1d6e3541c8a8ec1012f861da406c7e709f41854d1eff22d08b4d8d8004d9861a2175ef2f7e18713738d048d6bac0c7dcd8f29fd25f9cc06dc54ab0a819ad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
626aded812305e4383b01833fc76d2c8

SHA1
dd6aa8c996d4dfa11c00a1ef28053f4c7c887a05

SHA256
28a58590c7909aec55b496d46b63490d2b2298f4b19d57c573998116c8f870f8

SHA512
9a9495ebcbb6a5d7670585f53bbe1452557c6123641db6dc2e7dc34f87773123fc86703a1c1f933932b25e40f550df5170f5f627e4b958892d7d2018f04910b2

Download Submit
memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3024-908-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download