89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8d

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
Size

63KB
MD5

9a1562e9748c837d9e3cca6750723ca0
SHA1

61cdbb2b31a1cdcb0a81e854951248665595fcc7
SHA256

89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8d
SHA512

a2fe4ea391f777777c55439b0d9e7eb7b85650146ca5ab28adfd5fd66e09ab9249b529c30c433673ca6cee043f25a353342f28704898763816bb2d1ddd29ba11
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zxY5eYAW8:KQSox5a

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4608) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233ae-2.dat	upx
behavioral2/files/0x00040000000228de-6.dat	upx
behavioral2/memory/3592-840-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe

C:\Users\Admin\AppData\Local\Temp\89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe
"C:\Users\Admin\AppData\Local\Temp\89cfcb9e80707a8ce8c62efc9eef2a066ad948c0cb3d90c11cfb5aba7b082e8dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
63KB

MD5
7a94bd6e3efd3a00302cd9ed9b176863

SHA1
1c4cd20f0b704d623c8ac597169fe82f080346ca

SHA256
ef831677fa5d5bb21a9433de3a8a55b6029b04c909a0a990fab842216c92909c

SHA512
6a07d39ae5198e433c180e1e1616c73d903be22def566f02b8d04b5aa91d19353fba474c34bf5bf294fbdd1b628ba8e7b0c00e7ba7ca337655bd59c5e75ef877

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
162KB

MD5
7b434cd346ebb18e3bb28a34d6041e26

SHA1
f560776fc34bb4c7959d53479830bdebccb3e152

SHA256
057cf8051a40f36ebcac31bb06607104ef011659599a10e3b4b0900600de6838

SHA512
9449345d2d3987be068a372f3222a6445e9db43035327cf9a5d0e0b6056f244df1e64cedae567f6bf38eee6887e4c15b4fdaba7b1dbbd5bc402de55e1c8adabf

Download Submit
memory/3592-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3592-840-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download