be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c

General

Target

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
Size

60KB
MD5

8277b65d3e0c37d1c5857776a7d8f2c6
SHA1

0d4ef0603abfaf592a4bfc1385f3a5cb511ceea8
SHA256

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c
SHA512

9a006ee5d3ca1f534874cff906a6e45c147e4e062c52be40e628942f192cdae96dfff3a6c320cd5ed0338449c922aea197f056356f1b7b63d01515c50092a5fc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15Rn:V7Zf/FAxTWoJJZENTBHfiP3zemtjF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1813) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3004-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Crashpad\metadata.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
"C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

Filesize
60KB

MD5
ab224d09bc34d1a448d7fb955d199151

SHA1
b026e8bb5ce40e5b19ebd4eb9c2e3c69b05fd400

SHA256
1e035646b177274a36b44467f4c8ba97df8096b3441ad85d14071fe3018114db

SHA512
e736592424d1f68aa6828dac2ae93ffc3b701a10b9c7f6c144fcf8ab651cfd562723fd639b0c781d7373f9dd3af3509c5f38b5833cb5ec552267ea8f84fe09d3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
159KB

MD5
bc4ca074da0ce171b863c11e8f805d05

SHA1
989e7a485512662d2bcff6b4270b94b42773d08c

SHA256
03ea94ef2985f1b9610d5904d11e99f4703901296797cf9647a6d58637e00193

SHA512
285658c9f7e29c53bd19f46509f9fa48ca530ce15b0c29e41d2b1573c4b883800283cfca4a4ca29d8bcfb2e5712f5c7989b1896d4222bb821dc1a1868a2037e7

Download Submit
memory/3004-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3004-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads