5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
Size

65KB
MD5

a73c0019a59d1ce4502649c53f793422
SHA1

85c6fe711f3d9091a0193b717fa8c3d3dbb2476e
SHA256

5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91
SHA512

c6b7f4a4aa2c9dbeae46e336556a0886294a8938be8334d45b7f671ec90ef21dbee3cb9aaa844ec454598045da88838e9fce9aae90bff4abd15dfa58a9a721d0
SSDEEP

1536:V7Zf/FAxTWoJJ7T3cFMOu/h6HSKX/8KX/FdyGdyo:fny1bcHf

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3716-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b1e-2.dat	upx
behavioral2/files/0x0004000000022902-6.dat	upx
behavioral2/memory/3716-664-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe

C:\Users\Admin\AppData\Local\Temp\5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe
"C:\Users\Admin\AppData\Local\Temp\5954d397996d3c62730753b9f4559c563322afedc044e305590472bedcff7f91.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

Filesize
66KB

MD5
9629ddb8d77ae0e3a8c9a8fcd0b2fdb6

SHA1
d3d9f5ee05149d74e72d2d705872fef8ab80724e

SHA256
96bdaf50c42ee66b7df64ce234f2de0b00e75a6e656d52980fb87d04842f4a76

SHA512
477d7954203d67366b4a26eca6a45718ef52f80a9d4c5d1d2f56b300f0c9a79f3a0a7d73b352c44de8e0a33e4603f90f6df831a7b6635a26167f7a09ccd02fbd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
b70f48c1f3592f572934979f914466a1

SHA1
d9e0d6f342d94c98d04c260477cdf98bf54523ad

SHA256
07b2adb2856ff2d098b59a754373a84eb82affa77c79ceb768a8a29152aba1a8

SHA512
29f44d7fd0283d8f0beec21fea101ef6dd739d108763a454ac5751ff52678717f90eb35e8ae1fa7f360fed52e38842aeeaff0272adde9f1d03040ac0db669bf7

Download Submit
memory/3716-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3716-664-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download