60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2c

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
Size

183KB
MD5

290e036375d560807af6d3db7e967f00
SHA1

62a6000304357d2226b5dc3cba350191afde92e8
SHA256

60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2c
SHA512

410fb1ce3bffab52361ac84d0a0d130088b02fc82f9c4345fe6b59ccdd89a2a808a251fd12f659b5442239abc3f3008963c843d62ed5147635c8d22f1b69ab0e
SSDEEP

3072:htEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPz:fEyyj2yAIJbIjNDv0bNXkbvLiPz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2028-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000c000000023b8d-2.dat	upx
behavioral2/files/0x00140000000228f9-6.dat	upx
behavioral2/memory/2028-651-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\HideStop.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe

C:\Users\Admin\AppData\Local\Temp\60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
"C:\Users\Admin\AppData\Local\Temp\60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

Filesize
183KB

MD5
f4faa829c5d900c478536b584fae7d9a

SHA1
f7775e8857c7203f9145131974386dcb3975889b

SHA256
10401f0195a04e0ec4142bf409079976ddbd008621346e6b22782b0059866e00

SHA512
a9ea7dfa6cb7581d789da7d8bebcc118285e117f41e24b9fb21625ae0bd85d6d2db90abf71cf38563720e11452b48f81b6233d6c2e7b7cdee37893bf659bbe01

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
282KB

MD5
df8b84bafe7e7f2644250ed37dcfb439

SHA1
7ed65e5f63899af42f4a8300c648dde262aaebfa

SHA256
ae2514372435258cbdfd221bd0719fe9503e2c39d2a1ba1e7b2ef3def1e2ae9f

SHA512
c8d7bcf101eb15a8445cec8dc717644e35608af38e42c462da85b8cbef92b8711e7bb57e09774064253043b717435bdf7a40e0ae9b2902782af86c2f9fb34270

Download Submit
memory/2028-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-651-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download