936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
Size

101KB
MD5

8f8b93cf86cf9d2837f5aa881342deb5
SHA1

aaeb9cbebd13c3959e03708a4185c4d726e360d0
SHA256

936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8
SHA512

259c3ec046e09fa0a0487778ac947c36cea47e46486a788ce3e9c0b2a47464978be4b319b19679c50ac8584a72de964b9e6d62af1ebc7e686740081868672e3e
SSDEEP

3072:htEr9iMGfUSaOy9SnJUwFU+FUhFUeFUXFUqyqKRrpF6PwZ:fEr9iMGsSaOyiM

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4540) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4892-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000b000000023cad-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/4892-651-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\CheckpointInvoke.dwfx.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe

C:\Users\Admin\AppData\Local\Temp\936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
"C:\Users\Admin\AppData\Local\Temp\936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

Filesize
101KB

MD5
8317d5a51c9907a3ece78a7b616ac490

SHA1
2a5591281bb53599bc925a6d40b4c72d504f63eb

SHA256
092542d41480e6c844346c0177ebba8b047b143aa1e1151b9241faefe02cbc64

SHA512
b7370adc91fa565e52d1eba05d088ab76341fbc0b7be516b836b1a2e1af6cf61338dea9013d69b9dba3040034f52501329eda03ac7edb3915c73bf479f1ccee6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
200KB

MD5
3913cf55af8c440e859204c154722035

SHA1
944a8ab036fb48e14c794697c0f578e1c0454b47

SHA256
848a7a1df799f7c565996bf2eb4ebd938dc65f0fba764c6efa5e44b0ea876c0b

SHA512
30ed20624964d7d4c90d6c18c8a131fec8383f13313c1cef8a154a8058e0b7173694186aba1441cdbfd893b5887ea28a7093ee5c50d631f6fff75029c1369751

Download Submit
memory/4892-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4892-651-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download