01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
Size

39KB
MD5

0ebf7a67f138327704f858f831c91b00
SHA1

d0fe5df8b28264c2e8c58a6ee0c5967b813cbdbd
SHA256

01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400
SHA512

c3baf0907a5bbf6d47ee3328da3fa2ea781c9db39fd5be5d16c6fe336130d7f870ded23708bd14ccbf70241880efead297d612f8ba366bf5b3feb5338d05b425
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJEopodSox/6Sox/9u:CTW7JJ7TPUTEy

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4396-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023c8b-2.dat	upx
behavioral2/files/0x000600000001e5c2-6.dat	upx
behavioral2/memory/4396-790-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe

C:\Users\Admin\AppData\Local\Temp\01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe
"C:\Users\Admin\AppData\Local\Temp\01d35cfe8fcfab0836ac0ca7ce34c76fbb773bdce1085dd2fa6930334923f400N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

Filesize
40KB

MD5
0a7e475da6a18b021616f64a974ba9f2

SHA1
2483545c43fd0b71177903f2feeb889735712940

SHA256
23bcf596be999bd3ccc74d4c7dc6e698e36634f9a571721215d33c0560b2c349

SHA512
ab1d7e13b9441f1086ce742e81e4d150e7d1b42274b02a4de97cb469260d36458a21f6d500a94820c252c6ca5f37d508ed79d869477309b45db2b0aef4a44f13

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
b3a9009d61a8751c404a653cbc433a78

SHA1
9597c87ba7c0cda5fc25bf2b8e7f113b8a73337d

SHA256
0d20cd0c55fa0d6e3d2c3154210712de7f08ecaa1082789478276563904fc0f6

SHA512
eff430438ca6dd000ce038b755ceefac5851c1cca2632ae22f0014304d37981d9588fc9acbb8ec1215999ed5a9e219b39c6c9b64faded70cfc3e7944be112dd2

Download Submit
memory/4396-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4396-790-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download