23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
Size

89KB
MD5

95e1e350acd07e34448beeb52104c1e0
SHA1

c51948ade43fb06248d53e0e7cf231d5b1437613
SHA256

23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5
SHA512

270ae020115f80d10f87ab7503f29a29e979b04241c3876ea5b81654d9bd5c78a06229d6c87489e3b6ba624abab3f25b6e46ef50fb69c37cfada6a700d4a5edb
SSDEEP

1536:V7Zf/FAxTWoJJ7TKyXKoyXKoTW7JJ7TKyXKoyXKlE4:fny17KdKv7KdKlE4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4368) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023ba7-2.dat	upx
behavioral2/files/0x0004000000022941-6.dat	upx
behavioral2/memory/4984-668-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\DisableEnter.exe.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe

C:\Users\Admin\AppData\Local\Temp\23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe
"C:\Users\Admin\AppData\Local\Temp\23e9a323397c0e8cec508103b270dee0f90bc15f1fdd6986552f5c776c894af5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
89KB

MD5
f6f32ecc71226f36f1fb78b6b2289924

SHA1
dfcf6f3cbdc332bd51a459f118544cb773dd8dae

SHA256
fdf26079f584269240d8b6341c81dfa207e279ddd77b07893b9854213fca8706

SHA512
4134e9a8c28e2153d86cfcfaeca70ae9d7269c081ff1cac5fe5edd219f69d879f11064b94eec577b51047dce6e9d7f961266f2bfdc6025f2971a08bb3bf0aa2d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
9bef909b687764df15542b30c0bbcda6

SHA1
8a7057f03bca73c0f426516a1a9323d258b5eaaa

SHA256
9588d875e7cfdf66950dbf4baa94ca4a0f998399a18e3f044d0714ef4c9badf6

SHA512
9618efe2b9f1615d134812ae2428bc75cc133120856377fcd1c95c4584a0aeb0266b067a6ec860843416d51cc3106955048129637514916b314b83ae6177d5c0

Download Submit
memory/4984-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4984-668-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download