0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
Size

88KB
MD5

0066e6c58f3b8cd16bd04df838a099fc
SHA1

7e755b88c4a5d7ed33aa7d250b42776e48cd2ea8
SHA256

0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8
SHA512

17c389835faee45d1273d80e42444c61b5add7a2452420b858ef49066f135242f460b17f886b1ef5205bc9588452181de831708b33308771a0a2f41f52dec9d1
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZv2v+6G:fnyiQSo7Zv2vs

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012119-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2360-176-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\lib\zi\HST.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe

C:\Users\Admin\AppData\Local\Temp\0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe
"C:\Users\Admin\AppData\Local\Temp\0d50a0f0d1f58ce39376314383afd4d0ee4e8366f361ac09e3bc0836f27cc9d8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
88KB

MD5
e09f2871ea30bb5223f6fd20d0bf8f1e

SHA1
4ab5aeb0fa6e182fff2cd1737feb4831d559c624

SHA256
e8f8997ef973f276048d590d3c6cfafb8603da62fe5ffefb627028be9b399a98

SHA512
b668dbd8d31c194a97d7bb837513352d4afe5334c64a7d39472d68e581a7881cb2596c55b815a253a0baf8ebd8cae55067edaea6448b39a2702eb7c0b0cd84f5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
97KB

MD5
51f0daf581cdbd4372d6975db6792fcb

SHA1
b9c1f7b619b0db63e05db9367f6610e1ed86c1e5

SHA256
1d823d162061d360e6f69d80280bb5b610b81c2706da5f98252441ffc9886687

SHA512
50dba51d9c2bfbb29cb0d63a03f22a03965c44459255cc8249e27a09f6ca8573cca81a3c65fd6ec16066bd003ee35accf0c30d648884925d51a275d4b98bb13c

Download Submit
memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2360-176-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download