7ab89218f87eec265ed366bcb1bfdafd99389e4406c0ca529ad1cf59990274cd

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0575a6ecc31fecd8b2b4323a3ae21890N.exe
Size

43KB
MD5

0575a6ecc31fecd8b2b4323a3ae21890
SHA1

eab660ce7c1b42e908929e3780301965ec65419a
SHA256

7ab89218f87eec265ed366bcb1bfdafd99389e4406c0ca529ad1cf59990274cd
SHA512

00a5996193b2fb7c77764c864c3256bd2913533afc6e171898eaba8be03884a58a6ebb0a7b974ae0833d782e8303820fd12fa7763305e2f77daad2ce0588f213
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJXGiXZ7gC:V7Zf/FAxTWoJJX7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d000000014132-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/3012-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	0575a6ecc31fecd8b2b4323a3ae21890N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0575a6ecc31fecd8b2b4323a3ae21890N.exe

C:\Users\Admin\AppData\Local\Temp\0575a6ecc31fecd8b2b4323a3ae21890N.exe
"C:\Users\Admin\AppData\Local\Temp\0575a6ecc31fecd8b2b4323a3ae21890N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
44KB

MD5
1141eadbfca57a6aa68a92d320be177a

SHA1
b6dce1fdac0811fe5aa33420ad86c5d703e2de35

SHA256
33ad248d8410e0edcefa21dac7b3eebcc0799f982b2bdd28489dfc6280428d79

SHA512
d640ccee1d3b72c802c6d6e464a001fbfca6f406d894fdd5e1a4563d4ec309814d59e0590659e1748ee13e1e913289ee91c09f14e5d7e7bfcef73176ff6234e8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
1fe5bf001c0b9398080f21de793bea15

SHA1
c28b320e7fb9277452e3699f144164e946a19d56

SHA256
0809f9069af2800cdb1138e8fc84de8a4ea8c36c93f04a6effcdc7f35c4d6278

SHA512
5a200384c80676ba2539e735f4682a59a83ef9794c03ba54e309931374b72a716517938d5704d3f261160c1fc4aea6112dadfac93ebf16abb569589e4d9f834c

Download Submit
memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3012-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download