2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1a

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
Size

44KB
MD5

d73f36c64bb464f822ecbd926517af80
SHA1

859e3962834df3ad16caca0e0bde5030bd4cfa71
SHA256

2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1a
SHA512

da0f2904a6e87e8a63864dfd6717cc1d507e08d9ba6ae1057a949339fb30a2f94bf39e045715dc5566e409122dc76a4ce81c18248e7951b0a8ed4de1b23cd360
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUE51lRtJicszsOVCXb9CGDb9CGea7Aa77:kBT37CPKKdJJTU3U2lRtJfO6CQCM

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3432-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000800000002345d-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/3432-900-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\ConvertFromCheckpoint.eps.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe

C:\Users\Admin\AppData\Local\Temp\2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe
"C:\Users\Admin\AppData\Local\Temp\2897a7cf01455835417ce63f2cfcd3855de43b2f4c19b6f87bd5a932c88d3e1aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
45KB

MD5
66cb642398b91da529ae7e76d2b2d152

SHA1
c4a2a2a03f966a6aa2d5b764bb35c7c62ee68649

SHA256
6b18df52c1f83d4bdb474566e24beda49a16d6b82abae6e4065b5a7c0ceaa138

SHA512
9c30ddbe5ed52e54a1b7ee41e360439a01d49c40b5b21059438956c19280a3d76d6e243c15e60531ca1e5eb46d8d04ee8274f918e5029cdc6a5a83c1d644211f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
3b9853ad4210737dc1f117e3622fb5a6

SHA1
b076d9a510e2e998f9aebf12d00588dc54664862

SHA256
4db3e62b53e171accc0c4242cc72f6f843901a4d7faa78735454ab02f2f62a75

SHA512
7b8571aa4bf006022a442949cd68046138be74f7bba32a58388b3d2490b8641b87f286110e4877fe832d52bcea8c54276593bac0e4f3e5e97e399c5824ac884f

Download Submit
memory/3432-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3432-900-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download