10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644

General

Target

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
Size

119KB
MD5

77ef3d32ba6d47d9839b0ab1bcc02872
SHA1

dd7672ff75e8d7ab254ad0041491f107a114f25c
SHA256

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644
SHA512

796a8a2e9438f9552558dcfd88e23fab5c3a634455fcd6df79510e9af53393eddf041b9774f76ddff346c95c4eb91570fddeb3a9ff7748fb44f244008c73f325
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PViYl0:V7Zf/FAxTWoJJZENTBHfiPViB

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3928-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3928-656-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

C:\Users\Admin\AppData\Local\Temp\10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
"C:\Users\Admin\AppData\Local\Temp\10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

Filesize
120KB

MD5
2943893d9e4936a803421bf457f7e9e2

SHA1
35f6e5bdd72a2e8e0745b3eb39698dea947c8223

SHA256
fefb3c901cc00f6ae200cfd63dea4ab74206d0023c3c0f4860c3e5840f66e28a

SHA512
d7f74ee23b96fcb16fdacb524433e38ff91fd83428be2cfccf9e5c00a4492229c9d8af469c70e1e2b33ca7c00d102ec48019f4afc57f88b0cc5d380569e42d10

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
218KB

MD5
38bf6053643d32140f48df587e23a48a

SHA1
5e711097a7ec230c5f7609d631fbde8d93219dd9

SHA256
9c8faaf51e0924b6f0a7f78624aa5cc9663e25062e4f6b6b234ac11d8b1e0df2

SHA512
486ce4c6040bdec67e107b67a20734d0c4389946691a96ab252f6f344e851a4dd8f5b073b9a603becbad6167a0471bcdd447c4d6e55848a1897dbd6bd596c313

Download Submit
memory/3928-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3928-656-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads