f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300d

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
Size

54KB
MD5

6560b5e28fec354dc624c788ee4e93e0
SHA1

3f2e3b3a2e6d080cb9cce11d17ea1ea12ced5659
SHA256

f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300d
SHA512

22be93fa7ca14a834f8a4c5b49b715ea2a754ae7cb3c2f82d50bc7ff01bfbcf748888688f5d15a3ec5fb1aaac081daf4ee8964f166f674a47d7e1b3af5fc1301
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9AG4:V7Zf/FAxTWoJJ7TK

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/32-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b10-2.dat	upx
behavioral2/files/0x00040000000228f5-6.dat	upx
behavioral2/memory/32-700-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe

C:\Users\Admin\AppData\Local\Temp\f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe
"C:\Users\Admin\AppData\Local\Temp\f86e2297f049a5edb1c99d19b1d6db1f7c8e7715bddeb0f2f3154f407171300dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

Filesize
54KB

MD5
53e9da094833e4669ea698645bd02084

SHA1
7b23454d8bbb06576f3111006f0421a1e6e84ba3

SHA256
6977b67a16e90da66edce367a49f1fc1471b5a275451a42c0bae5d47659ed14c

SHA512
447119aeece93594521f934b9a5b0abcdc62a0532543eea4fa4dba0923b04e9887797beb8b4b024c018a6fe2f1e6479b6e9f0b4a7f228984dfca60b79d5f142a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
c0e40b5859f7a7a2f4ef7d0bf81ba420

SHA1
2b52730ba2f36e710aff65455bec4e5dde0e1018

SHA256
cd56ecabe67b5908a1ad0cf5a829e0d30e1a928fb1509ea1bd18f4aa09edf674

SHA512
2ac24623c094d7271e5df53431d50e513b8529ebd391cb4dcdd9f88bdb1fe9f838da2c853f4fc8abacac4a41be85e9fdeec33eee8896cb2660b222b6c1b5105b

Download Submit
memory/32-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/32-700-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download