f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
Size

84KB
MD5

2d7ffd20328d921486e2e6f8801d9660
SHA1

96b8905b948f58a0c3bf3320a49f46d40d63d2f5
SHA256

f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3
SHA512

8af49e104efd56525949f2c8c48a2b467c07758ec4dd78bff1049de7f5ceeeff99a2a81cce8b49f747536a2fbb6359cc964031f589a5d94c0683280eaf69ccdd
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9ZJ3RhBT37CPKKdJJ1EXt:V7Zf/FAxTWoJJ7TzJNTW7JJ7TzJe

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/8-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233f5-2.dat	upx
behavioral2/files/0x0008000000023455-6.dat	upx
behavioral2/memory/8-904-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\ConnectHide.ico.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\DisableApprove.tif.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\DisableComplete.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\CompareMount.ps1.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe

C:\Users\Admin\AppData\Local\Temp\f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe
"C:\Users\Admin\AppData\Local\Temp\f427f2ffcbe92a6cff2c634ff9124d998d976577d58369ea5b5b5795a1b88ea3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
84KB

MD5
08da0c0a43609c78160346c94fa51428

SHA1
2d6427f6c0ab50bd314386a3f961d03411ee3aca

SHA256
d363ddd30e258e22fc42bc9d2e0da85831f23a50e32dd591df34a97cd9742e67

SHA512
c2a7d86c8a6a447962257c79f008b361e398e1189c2004e91cf3c5ff633709b520956ab1957b487a5c13255559c451a04b972d77405d38e041f5a53d4a6e0d79

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
63fb3e3cc420d07e4fedfa7a35d90512

SHA1
85d7e78fbd7130e4101c7511a4036f4e21a5da96

SHA256
895d2968da34d7493d11b950d512890f37dc59078bda12c98730c41a0d20c857

SHA512
3326396ec36e43fbc241558a7a722db534d16fc00b772f74b6fde7d6deedbc510b8d1c06aacce89dda882a593af139ddb1be0adebae3ef6fb66c8ddf49304150

Download Submit
memory/8-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8-904-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download