6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
Size

42KB
MD5

69a04a278f11ca13f83f8e3547158c35
SHA1

de14fdaaf5351b151b72bdde68c355dc4243b384
SHA256

6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c
SHA512

5167dfa07ff7e9ea48ebb58bd15e4f744137e5e1b07e95d25dbfe349410e77a3ae6ecf6d542aa3543a97685e7d565c0bf2e71605f94b026dd4d068258bf2140b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBR:V7Zf/FAxTWoJJZENTBR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a000000012029-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/2764-652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\bin\splashscreen.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\shvlzm.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Adak.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Mail\wabfind.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe

C:\Users\Admin\AppData\Local\Temp\6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
"C:\Users\Admin\AppData\Local\Temp\6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
43KB

MD5
a71267da4cfa8165e266b9e028f3eb19

SHA1
2138a9fe48e5890f827158cc2e5d4941a781bb29

SHA256
5df1285579abbebdd7f5a809215a900717ca7a9618e9906304c584a8fdab3de7

SHA512
7be76d8acaa42530d1532f353e005aad2a39cc9bbdd0570502f1cb5b620941247c3b4fcdfc6a202dff8e0a4765004807c41c9132186b59902f7bf60ed694042b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
52KB

MD5
3b78a37026c5745341a1810a82e9243e

SHA1
8759d1ed20330fbab6a246184b9fac44a3d27fcf

SHA256
8e207ef844a2f7e40eaaf42ef47a4622c4059c5f49a8dab2e86d35f62124156f

SHA512
af1cc0eab34b11a741373a6ccbc24f0b1761dc240e3909498f6669652009cb87d771e1521b0001c96af231eabe12ee4f517ec20d97a8056239f522991dc43d1c

Download Submit
memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2764-652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download