64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
Size

79KB
MD5

67fab0b8e95c103f478abb8ce5109120
SHA1

94042fe759dfb908c180b9f38af9cd4fc5d09526
SHA256

64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4
SHA512

4385e5869e5e1e7b44929d2ad31aaec255f840ae742e4cc544e2315846ef46466b6602e0bb1af06ccbeb3ae8891bca6ab8b2a1af5d23e50893f85078a8c6faac
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7I:V7Zf/FAxTWoJJ7TTQoQmoI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4637) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b000000023bc3-2.dat	upx
behavioral2/files/0x000600000001e5c2-6.dat	upx
behavioral2/memory/2476-730-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe

C:\Users\Admin\AppData\Local\Temp\64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe
"C:\Users\Admin\AppData\Local\Temp\64056715feec20245d8c4da077a277a3424f1249489af2b6fe8de039de8a0ea4N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

Filesize
79KB

MD5
073178812a40081415cee2cf20758f8d

SHA1
b8cc9683ec0d94909d20ea81402de9b4ae5ff481

SHA256
40ca9c41d48c8f738c20bcf9ed1186e6c619582d0ea1836658ede6dc65a50c1c

SHA512
20bb13c7258b7312460c605933570d328be513bb73265d370fd207bd77bd6b78621d7842151df4797575f1d0ea81d8631dcc31ca2d3dcc89cb39b546353d7200

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
178KB

MD5
dfca45d33ee878ad4c03f068ea55ab03

SHA1
c5b93e96866f9528b44a55ddbb6bcc55dd9336dd

SHA256
74bac3d3ede362b8c9c4094d9a41ee9168e22513c36e3825dcb0f0bd42cd9b98

SHA512
1ed34dce3ac9073a9a31b5541064145cc8b5bf4e1994ab098b474e2cb9a7faecce3a6eea755409a98c70fc4ea9625c838ffae366424f88e330c95a5f81a1a07b

Download Submit
memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2476-730-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download