aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
Size

90KB
MD5

d1d65ef7cae0b959030d5b9ea4935d20
SHA1

a583596433f1cd4564f5bde48746400ba96e304d
SHA256

aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999
SHA512

f426eb9a9971e2b1178c6371fd71494e511ed764d6945b703698e65d629a890395f49594b8f8f9248566eb09938569b0375dfc5b0a9183e297d7b960d4dabe02
SSDEEP

1536:a7ZyqaFAlsr1++PJHJXFAIuZAIuXsJtLJt2:enaym3AIuZAIuX5

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2952-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00040000000229c7-2.dat	upx
behavioral2/files/0x0014000000022905-6.dat	upx
behavioral2/memory/2952-660-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe

C:\Users\Admin\AppData\Local\Temp\aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe
"C:\Users\Admin\AppData\Local\Temp\aac4e35d44e30c20514ed1172e00b0aad8294297f64c4b4a3c8f02f970ecc999N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
90KB

MD5
124c4369f18068f457d8a8f598f017e8

SHA1
9181a3b9425ff5a9ef689d9436fe6f66b98ef2f1

SHA256
23334b94508e2775117032c4f11c6417e22926219b7eca6e584e3438ecf05827

SHA512
4cf8501c7f10fa57209befb54b5675fd3480fc0c23f0097a4493ee2a3b3d9dc72a9bd6a5dfd50d44d78c006f16921d42d9a615ae2b276d238af379073ff4d412

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
57342d4587d309b6ece626384dd30add

SHA1
b89eae434597b1bdb3d865d7106cd63fa9fcaa7b

SHA256
2e607debfd514b29055562ff45ccc49d0190262440c8dcfc4d4bf86230fb98f3

SHA512
8a1d425a6e2975d104fdc2528103cdd91a96810ce03dadc713699adb1df95dbfe2bbec7812630d3d069b14e6e3f59519bf103eefc76f24b17803a7676fb021e3

Download Submit
memory/2952-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2952-660-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download