3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
Size

39KB
MD5

e64d49cd812a696c28e13ed10b6498e0
SHA1

1e1cd2a3f9ab460e436264a2d5c8e8031a2f2e98
SHA256

3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6
SHA512

ddf313543d0a9feee1cdd96cf6dde5a12a8baf4db1c2ef70f11c973ca81ce754491b8b014265cd6ab0f02fc805b8867895acd1d062ede506ac061c0ba0b1c669
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PrQy7uoyCwqwT7uoyCwqwr:CTW7JJZENTBHfiPrQJogqwGogqwr

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5100-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000023409-2.dat	upx
behavioral2/files/0x000c0000000220a6-6.dat	upx
behavioral2/memory/5100-900-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe

C:\Users\Admin\AppData\Local\Temp\3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe
"C:\Users\Admin\AppData\Local\Temp\3f76473cf2f22074c9dc180719715b5597dec2e4f8645ba3288a93a8488f95c6N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
39KB

MD5
252afd68e14637a668909bb0667d5d09

SHA1
9a2ff857196e87872d1ca3eb997baab31f6ecfd6

SHA256
da582ccef6335a7a455ed041e377d4c405b30c3492fa6a2dfa379c03b81d78b3

SHA512
564c4ed8766d2ea8ea41f2fb01e80b205833609558fee392aee61c7f40003e165a79e0737694cc03addbfbf699b77c07deaeab7559b67bde64fd712cd5492229

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
c5b334120c5a72c2d4c5e680856c1a32

SHA1
7f36438ea8bf182de0bd8f004b7571de6ec72f87

SHA256
50e5f8074b692279dc80f9e1d864ed0034bd994668dc0aac772294954a679a45

SHA512
104dec559c6ec347805ce1be8bf64c32272c7c39840973c332d278ab63463d13f8f4d8b2e08292c943f646d11a06b781b450bfdaebf8e8bdd0bebe7d500023e8

Download Submit
memory/5100-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5100-900-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download