692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
Size

50KB
MD5

00999cef8a961a11e7beca4c94e67af0
SHA1

fd65cd4c829b3418183ebbc2f77eb278f63c78fa
SHA256

692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc
SHA512

1131653990c6349bd92fc8defe362104cd9642381d32fbda23f7059d11f0c7e24758bdb58f5a4af8053c2efb84bbdd35b3b5f4b98f965fdf2e29cc04d665157f
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7u:CTW7JJ7TTQoQmou

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000c000000023b03-2.dat	upx
behavioral2/files/0x000600000001e5c2-6.dat	upx
behavioral2/memory/4928-785-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwresplm.dat.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe

C:\Users\Admin\AppData\Local\Temp\692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe
"C:\Users\Admin\AppData\Local\Temp\692e717964af95a25082411f8f0c70af06567418b0296b171ac4bb882e72b6cc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

Filesize
50KB

MD5
1dfb8c92e37495b5c9a694ba49ba5b0d

SHA1
7c6ee51706b22b48ff066629499abc615b6a689c

SHA256
a8fd0e9cc33ab9da53b0334034ec797b59213cc8e66111f55f16dac5d6ca265e

SHA512
65f1beb92db1f1787dc2e20d3b32336e2da8e11e2573a5e8c1d85a543a6f58cf354579c4684fa094eed948c18bfd5c3c405615f9832938783f72ebb76a9debf7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
da86cbe3735aa40ade7670d53513a4df

SHA1
3259d1672268b7eac765d81552a7be664c1d1271

SHA256
51d338d53db8d99ba707e5ffd483b40430a606723effd2fbfa8700b2f30e84cd

SHA512
93983ff4ccc6bff68e69ed1414c1b285381c60620d05ecd5c3c24dae9c85bcb1fc4ca1ae52aae677bd0b186d54c03ad9b2eeb78fe3efe65f0a2a4f33ed401c1f

Download Submit
memory/4928-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4928-785-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download