a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
Size

35KB
MD5

c3d77bed1bc4df982849b143f48bc880
SHA1

cb663cbce1b6b71f756fa44a2c0bb6b9eb0f19a1
SHA256

a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8
SHA512

5685784a336aa921fea954d2096a1bde2704d90258a02009adb15a7160c150507065324b0db2fefb8fd3b829ac2aae119659ea6af1a25512a5233c5d70ab99bc
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJD:CTW7JJ7TPUY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4667) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/60-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023474-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/60-923-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe

C:\Users\Admin\AppData\Local\Temp\a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe
"C:\Users\Admin\AppData\Local\Temp\a83b3248df3b7c95a4c9810eb25e7bfadf85ee16722eff0a22df331bc62249b8N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
35KB

MD5
245a0d00bf077e61eeec2a8894cd9c9d

SHA1
610faae39116ea9f26dcfb8399cc67599a3770c4

SHA256
aecf3ce11083b3a1d190fd80951781b90fece753c060131ad61685d000a8cc8e

SHA512
e16773ce6b41bcdc72619833620c08b5b13dc2ad24e4ddd13861055812e7e9888b658f36074be80f1edf2e9b18159e88151a44fef91b4823607e6794e0820fe4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
456e7bb4e25d7bdb51eca8cd1981bbf8

SHA1
1106c960d82cd0e05a7f0a9523f4196d6697853b

SHA256
5e953641c65ebb21ae00d2d4179db953b0de08b398a7ad6a498f923e74fbd0b8

SHA512
94e5438cf4b1dccdb7019018d6d15e23f1ff461807912e241d686e52cc7ab6d190c04301533136e1f553d57b9aefdeab883f78fef9bbe86961ed72ce30defa04

Download Submit
memory/60-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/60-923-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download