9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
Size

86KB
MD5

ca893b01ec1f2b0c7a872b098ef17eb0
SHA1

cb8137ba8c8452850ef8d076037e9d01ad831aa6
SHA256

9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077
SHA512

685ac9da122247ec2fd58b961a35c811c8204e98d799bc9f38bea0b641361f53b81781fc43d80e97d8e94b7d51468daa7ac2902cc23750338f4b7c76d9347998
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5Kwo:fnyiQSox5Kwo

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4441) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0010000000023bce-2.dat	upx
behavioral2/files/0x001400000002291d-6.dat	upx
behavioral2/memory/4512-670-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe

C:\Users\Admin\AppData\Local\Temp\9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe
"C:\Users\Admin\AppData\Local\Temp\9c263bc5a5ad095f3760cff9dc6ec8b3fc46c6a7c74d4f564d29ddfd81ddf077N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
86KB

MD5
458a55deb93ebd952bf3bb6959070007

SHA1
72759835115b00731aab200f117fa30584d0b4b5

SHA256
abc382a1efbe5e48d9aef46a59578af29de918bff7eb294f1aff49578c3ad8d8

SHA512
74dab592341a6d0e2a37c5a6dddd36e94e851c2432434ef0e7c619d14eacb3b7265231de0fc1d1628738dcb6deab9b3246d999900afaef8de7d81dbc52be1867

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
c64ae149577784f350408436382bc8c5

SHA1
366989269490d4e1c458b3ceab3cf669d761831a

SHA256
d30ad79a868ccac3f8d4876c7249d0f53b6b797f57db9378ef5c1633fd7ccc9c

SHA512
80688d79faa2af1739a7257aa4b3615d3ebdb320d33849844c3d6eaf176ce33d2e8a75866647b5a55367b1ae340440c71d782644960ec3f44bbd99352d568e5c

Download Submit
memory/4512-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4512-670-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download