c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80f

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
Size

77KB
MD5

d374d77181568dec6da57707d6ecd2b0
SHA1

31dbf9d1b1645896453c6fd4b45fd2fa16764d09
SHA256

c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80f
SHA512

a44fd04acee5b2195ba63f18b1710235b2597bd6f1d7127370539fbf5aa0312e764bb93dd79bb155fba5386ff8dcccb665345f904e9733b381932ef862a2bbd5
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc71:V7Zf/FAxTWoJJ7TTQoQmo1

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4538) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3372-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b0b-2.dat	upx
behavioral2/files/0x00140000000228fc-6.dat	upx
behavioral2/memory/3372-784-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe

C:\Users\Admin\AppData\Local\Temp\c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe
"C:\Users\Admin\AppData\Local\Temp\c1a4a3e791e34e2137e6565e73375b8db668763c8e54db62591b0978684cb80fN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

Filesize
77KB

MD5
0efbc7162b0d8212cf3e12619532844c

SHA1
20606a52e1e4042b19ccc8e2a5ae454060a7a382

SHA256
52e0f44c6f768c4e11a0117789f5e2d8e7997099ca2a101ae4248827ff625ecb

SHA512
6bb9efb32cb193ffbc912caa5bb57a943805726ba1de715d6fae81f47d2c2cc87c82e697961de303bb1e491a0df3be08cd822a1668bb4e3dcad48763e3ec5652

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
176KB

MD5
910cff74e6e10654b9b43b497afcaf03

SHA1
42c7686bbd57c35d56efac6b7633a6ff743ec28f

SHA256
c9d5348aab073bd1932a8a37cea106a13e05e98432e3b498d5c3153e608094d6

SHA512
719d7b4489926c8763f9cb0f51a78abcdec97499fd6464080b198d6038d3683ac1e8d75afb893eef4862e9a225bfd0b79ccc8779675e366ddef31fc5a363309a

Download Submit
memory/3372-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3372-784-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download