5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935b

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 20:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
Size

107KB
MD5

e0e9174c990ad720138638582e4b4340
SHA1

0fd69549533089223c873de38c4f6377a23d8a5c
SHA256

5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935b
SHA512

d53a80b9367f9c01307110f391af589f35fe5d033449f66d18d3dbc9fbf9f296b00c1b1ae402f5ba034474bd1c808145f95c5b00ccbbf358c6f8ae42abba36f6
SSDEEP

1536:V7Zf/FAxTWoJJZENTNyoKIKMQTW7JJZENTNyoKIKMIjUvpbN:fny1tE5KIKEtE5KIK7jUvpbN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4300) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/972-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000d000000023b53-2.dat	upx
behavioral2/files/0x001400000002291d-6.dat	upx
behavioral2/memory/972-660-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe

C:\Users\Admin\AppData\Local\Temp\5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe
"C:\Users\Admin\AppData\Local\Temp\5ce87ba3b3082e563ee57977ea9f409e4c133df73a6d0c98085648d21f4d935bN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
107KB

MD5
0102c123eeb2542a29812e2f8b00057f

SHA1
b8c4b32da5a2997799b1c3f2e1cba40710ac61b6

SHA256
d76d9db28b6e3fec1519512a8ce16249022842fb57b977c16f8c76651cc0ddee

SHA512
38234540610d521b074fa8c472cd43e57e7bc521121b9b0607db8a33924f180b2791a5463dca302e96a4546bccae4c5a2b1a49f0cbda7f9ac38e042b9a8b19fe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
206KB

MD5
255ecdc83e5bc6ed81d8a284807c175d

SHA1
c8216e26641a5c57b68dcb6f36f866bfe302c8f1

SHA256
847cbeb015ab8cffb4af25dcf92ff01e76348ec736a4b7d0a556a42ba37a369f

SHA512
fbb9c89197ca47d3a083b5cd023aa1a1d62f82a9dd4140f4f3b51ba25b21cecd0493b35e9fe112413bd946824253bfe774384d802efb49321937562372f104e9

Download Submit
memory/972-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/972-660-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download