10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644

General

Target

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
Size

119KB
MD5

77ef3d32ba6d47d9839b0ab1bcc02872
SHA1

dd7672ff75e8d7ab254ad0041491f107a114f25c
SHA256

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644
SHA512

796a8a2e9438f9552558dcfd88e23fab5c3a634455fcd6df79510e9af53393eddf041b9774f76ddff346c95c4eb91570fddeb3a9ff7748fb44f244008c73f325
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PViYl0:V7Zf/FAxTWoJJZENTBHfiPViB

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4751) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2440-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2440-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe

C:\Users\Admin\AppData\Local\Temp\10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe
"C:\Users\Admin\AppData\Local\Temp\10743ddc2119def10be7da51e4cacae7f4a16db644fb69bddd9a6acacdb8a644.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

Filesize
120KB

MD5
fdf93493379d0d94a787206bf729da65

SHA1
20262686a0fb488136a31a474d73978f1c33f01c

SHA256
37cfe3b45a150d87d283312a7c8bd32e22ba349d70b7395f3a939ad2b4a3bfc2

SHA512
fe5ff5d8a855f24db631ab54477122880c702cb2b123dfa130814503fe7c5e4ccab96e0eb4560577fb79514556b4d9f900f19556f51b2c54b8a3e1090a58c05f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
218KB

MD5
978f750adaeefe5051a4b61931deff3d

SHA1
523b4367a4d151dbf56f5b9a52a32718b09a706a

SHA256
a436d96ff87564ffb5c747028fb3b2eb2781738a7dee743b6f27448dc002b14b

SHA512
bb38517d2818fff9c9d3e5159f1fb5fefa288e8c1027d4f28608d07016ff7a7f2ba0546a5d135d13d75d6dc3136504dbcabffd5aa5595b6596c9d4009491e9d0

Download Submit
memory/2440-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2440-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads