518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
Size

51KB
MD5

d10353421f63b69daeaf17e6fe490af0
SHA1

80d165d2370c5a81e4c43664d24840763bc7602f
SHA256

518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078
SHA512

eaa207a8628c203bf2b3d38937fe7abb935b14b7ed9b9586e04edeb034189e62a906acb11613de3a89c9ee95890e9831aeb4567959ba7f647002ff4dbc929a9d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJY8h:V7Zf/FAxTWoJJ7TPUr8h

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2496-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000233c9-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/2496-902-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe

C:\Users\Admin\AppData\Local\Temp\518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe
"C:\Users\Admin\AppData\Local\Temp\518c735b675d5e5956d20b06ff89b7b4b3f65ad56002c8e9fc25594fcbaf6078N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
52KB

MD5
412c61fcca4aafe92de9fc8ad69783d6

SHA1
8e178b6a2520262a0c2118efb3b7b415ed913fc6

SHA256
e7dcec399c7e8d0d4646c642c5400f5c51bfe3c9878a977f1dfd98a7722052af

SHA512
af17e31b9e14e19512554930e116231dd838a2e37a74fa0308f06b6e6c650a64c7315ecb04b08f9cbfd98474eb2f55befb9773db3688c2238b9e5d6952121b4c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
9e273633c17025ddd3b4f93c2db184fb

SHA1
452a140b9189df4221d599e5102a20555748d71a

SHA256
0be359a9219418502c894ee1139dd85ab137a7b22b3c5d3c434c88b2e3b1638b

SHA512
a76c78335a06cec61a595ea000ba2974d11be1a775fcb52094f177bb22152c6b20e90c8fc48d5d4aef0ff76a97382cc16b57bb75b8c619feb02341302417bd5a

Download Submit
memory/2496-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2496-902-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download