315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0e

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
Size

82KB
MD5

9baa7a98d217516975fbf328e88ad890
SHA1

c54a7ae65f817f649581b30a617e5fdaf6c8fba2
SHA256

315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0e
SHA512

d4611e87e8aed384c23b63f82e6bb9bdb9cf0954e0d1a861d6d45910f77353c620a90666acbc7880f1b29cd5096d565af6e40edea984254808e878e21ec465e6
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9jBT37CPKKdJJ1EXBwzEu:V7Zf/FAxTWoJJ7TjTW7JJ7TGHs

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4841) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a000000023bef-2.dat	upx
behavioral2/files/0x0014000000022905-6.dat	upx
behavioral2/memory/2764-656-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe

C:\Users\Admin\AppData\Local\Temp\315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe
"C:\Users\Admin\AppData\Local\Temp\315d4009889fd0e5ebb4ff6d2aff4666a07c26590cadcb7c924b97e200834b0eN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
82KB

MD5
12d0f19f716638b8d84750acc3dbedd8

SHA1
04bc1275ed772c50053cef25531208e9303a62cf

SHA256
92dcc21fb97a70bfb18a55292571e7248989e57e7c1b530a08ce97fc1b521d24

SHA512
f70e2ac4f73bd0f15253b15c052a852e5c4f1bf7c1dccca0ac9122ba52c10d23d1157604916e35405e91cb3e88d7470c8d942045318771f713cefe8e2c77ce08

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
dfb5c69b6fb911c0c1619be14e734aa4

SHA1
c4d3ff88e89fe62f810fff8bc71cbcf626395a35

SHA256
aa5c722d7f71cd05a8d9b53940634a4a7fece496280327fe5511946b846ffa61

SHA512
a248d2a8f160d5ab19a1fc48e41577af0c3019d139e4a3b45ddfe1a20d58ba8c5027794d99fcf6ddc17d626cbaabf386d3a69c8d195d7b0acca92651e102eb0d

Download Submit
memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2764-656-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download