1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ec

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
Size

104KB
MD5

d0d1e0e9ec67f3e49ed23941b8bdc980
SHA1

0627f0e3148ac89d9aae19da5927c3161826184c
SHA256

1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ec
SHA512

e407e725b5d4cb214c51aecb11e22cd471cdac5263ef94e11ee3387de4e03d48ba76c1dc91a6536ed62eae67628e53853ff30889e42b54d5321b7772a5fb133b
SSDEEP

1536:V7Zf/FAxTWoJJTU3UytJfOYTW7JJTU3UytJfOh:fny1hf

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1524-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023463-2.dat	upx
behavioral2/files/0x000f000000022902-6.dat	upx
behavioral2/memory/1524-838-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\CloseInitialize.jpeg.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe

C:\Users\Admin\AppData\Local\Temp\1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe
"C:\Users\Admin\AppData\Local\Temp\1f65de8df7e6694a9e781f3de8bcb04e4b38f413ae7c19343bfe673ba3ee56ecN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
104KB

MD5
8c0e61a336fe263ccc3e2ff00c7dfb10

SHA1
88b83800e7306326508c493d9987db6c128aaadb

SHA256
83b1e9e9b11b7d269e514340db43f7a3e6d332471b77c2c754e11c0946961aac

SHA512
6c1eb5b5e981de38da03aea06bd70f00074fe140a702e9eec8a65c7290440036819e5757183026aa53d09a2e98aeb452b3f391aed420cb1a3d4f1283da0427c5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
203KB

MD5
9e96bc2f57d3510d84384f7bd751c500

SHA1
79b567dab8460b6b002623401b280c4f39b7a90a

SHA256
04a02fc4a784fa2dc2388c50d146a9d5e56f62632ff44bb1ecd5659c9d7085d3

SHA512
88a931fa4c8d8bcec6f894654072c7e3c5e9fff1c24dbdea2f32d990ebbf748c2c368ce8a8bf7e06905c55d2e112c28c1e8ec76b056ac6534beb976b2844a5e2

Download Submit
memory/1524-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1524-838-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download