3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bc

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
Size

56KB
MD5

e5f041279a1020f2c184076d4b90ab60
SHA1

0c8846dd8d28f951cce213996c696b1c50664b1f
SHA256

3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bc
SHA512

5cca46e22712d7565408400b5308621507b6d75b4c4798b0a3936be39f49c382aec5ee5bac46a8acf491eb851796b732e19528ac7a54a5d3bd8d8e96c32a36c1
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9O73Qi1xu73Qi1xP:V7Zf/FAxTWoJJ7TM7336733r

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3284-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a0000000233e2-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/3284-906-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe

C:\Users\Admin\AppData\Local\Temp\3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe
"C:\Users\Admin\AppData\Local\Temp\3656c417dfc3ecf5fc08138bffba4c91faf5f38e3d09ba1c69c3a82e5dae96bcN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
56KB

MD5
03412b34d12ebd3357db2283048d28ad

SHA1
38dd317afb8995434c2afae2570e5feb8b17d992

SHA256
5819830947090c53fc0644ffbe397affd77cee3681925b3af3def0969ae4840a

SHA512
1c610bfb861db5b59bfcf470a15b1a0b395df0fdd683cabfc19f0466fca774d9e4be090c6f6e74c174eef4fb2f8e543764685b3d44b3600609a868b58aea0de3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
be5dcd2bda593cbe7da62c3c372e7fdd

SHA1
058052a71964a58de9f112eb8617041f6d139576

SHA256
de811814fbbc9bf62aec4e091b2eeda449d6e0dcc711ee470d37f6d8d8490980

SHA512
250acefe224b1abcf1e39d091e6e1d484144995518225b1635cbfc9b7670c64d72bcc7b44f6b48ad611196b7e439feff8642515cea842be0905ef6df2698ded7

Download Submit
memory/3284-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3284-906-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download