5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
Size

56KB
MD5

75fab4d14008a47533525f18e38403ed
SHA1

7c371297285c87da42d70894c4a9decf08a08038
SHA256

5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a
SHA512

78004f65c9a871ed4d2ea80c40347c569cbb0548407a07ecf66bd2b8cded91b05c4851adf984ee9c3f05ef0ce6c2d8d779b45bd04199e6401473bec56c926d21
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7xCtC4:CTW7JJ7TTQoQmoxCtC4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4632-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000c000000023b9d-2.dat	upx
behavioral2/files/0x001400000002291d-6.dat	upx
behavioral2/memory/4632-717-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe

C:\Users\Admin\AppData\Local\Temp\5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe
"C:\Users\Admin\AppData\Local\Temp\5d083ec593e6f92af9f26de5667846644baa83954baca58ed9b202f442b1a89a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
56KB

MD5
cb9b0061e5decf79d153d8d88267d58b

SHA1
28191c2dbb41788f6cf34d270907cb4c878b09b1

SHA256
8294dca8b4adc669476a693ecfcf8c7199dba6d516c9aa9fd9f6f78100739e12

SHA512
ff98244b83bf142a3fb6c02012977bb328668fb0add21cf60921905bae8bb74eff7e91aad65d4daba764d6bb1b22d6e1b2c8d5215c38914706c03c9669e205ef

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
8e943a2523fe1ec3af77a5d7a3ca44f1

SHA1
90cc6ef6186a8e8e1ebe06ab3032615f9754aaa5

SHA256
224a32635dfc9680e3f67016735c45bc87359656824b6c3d5a35fe16a1f823c1

SHA512
93d3f227781414d9a501c9d019530aa2f32020f89ba0fc1af884d8707284924e2a9308d4402ec8f9c852e6414c3202b88dc6d5e8479391995e218fa42aa10e0f

Download Submit
memory/4632-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4632-717-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download