0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
Size

59KB
MD5

c9864bb06427f491583bf6d2e79a5990
SHA1

0fcf72a4331b8a8ce81bd1ba83d34a8511259259
SHA256

0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87d
SHA512

84579c257e60d62340f6261a995fe8a784575d351736ce8e09b0ec53df72fe52458925b2d28821923b35e68f0e230dab53ffdece6150a60b3f8c57ff685e8e81
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Y40g40m:V7Zf/FAxTWoJJ7T2LgLm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2324-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b44-2.dat	upx
behavioral2/files/0x0004000000022916-6.dat	upx
behavioral2/memory/2324-726-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe

C:\Users\Admin\AppData\Local\Temp\0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe
"C:\Users\Admin\AppData\Local\Temp\0247fa6388c52c0e47069cf783b26d7cd7ebfc065bdf2ea67756a2504165c87dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

Filesize
59KB

MD5
753b5c0e90c723c482e7ed9ea14c012b

SHA1
cec73d68b947b14f11aac84009112368e36e99ae

SHA256
c65e1d95760282dedd9194eadb7258704a88b7c7714c96823c15a9037488a307

SHA512
84feecaed5793d54add8bffe76fa8c47b1f2558a601bd271ca078e9800e143297fcae861180969bf52f97ae8dc31f91c0d35991bdd19c418adb182b0d50a0ad1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
f6aaaca1960f7d511b15c3be5035fc84

SHA1
e7d89bf5801748d4cef24f7461fa6c9462778b4c

SHA256
634b3a88214d3d690c172f57fc9420e1bdf023f63be7fba9e3ddfb825154f3bb

SHA512
ee5ddf5bda16abe01274678d19aafa2fd949132dfe3ad43a5f7e82147541639c137400315d47c1f1041b8dd66b8c96691bf3533a316e6aaee759cc4d0ee30e09

Download Submit
memory/2324-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2324-726-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download