4090afef14f5e010733f4e94a814fc76bc5fb80b4eaf59909a6d3d4fbc63f2e8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60023bcb4cf1899dbb81084ec4cdb480N.exe
Size

85KB
MD5

60023bcb4cf1899dbb81084ec4cdb480
SHA1

8a97f17720dab739ead0c78b42fbaf30bf87b8a2
SHA256

4090afef14f5e010733f4e94a814fc76bc5fb80b4eaf59909a6d3d4fbc63f2e8
SHA512

bbb782dbe3e6d68319855d1fd3ba4eb8a778ea0e7f1760fde05de74f275b693c562e082ddf6a289b5d2c192ef9982192b17b08112c58bee7a826b316962acf7d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2ry:V7Zf/FAxTWETWMAI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2705) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b00000001202f-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/1972-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DenyUnprotect.pub.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EET.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\bin\fxplugins.dll.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	60023bcb4cf1899dbb81084ec4cdb480N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60023bcb4cf1899dbb81084ec4cdb480N.exe

C:\Users\Admin\AppData\Local\Temp\60023bcb4cf1899dbb81084ec4cdb480N.exe
"C:\Users\Admin\AppData\Local\Temp\60023bcb4cf1899dbb81084ec4cdb480N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
85KB

MD5
a9461799c5ee8730ebaa61f6e46cd66b

SHA1
17426ceafe1aa399c6779172b13556d4c6342cc6

SHA256
02fe1aa89e89e1acd6e5385dfe3ee4a676028a36dc620c50837d0ed23f2dca7c

SHA512
5b05ed9ff4db0498491f1bff293cffc0d8f3223d24488262bbcfba3db920a3a24ad2ae0583d6f869cd8264ac6e7fd6de943114b9773982322816e1d7b9bb2e24

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
94KB

MD5
6eb560cfba0cc58858c30fecb96ba13a

SHA1
dd3bc78a042b07fe1c74d08aad594f5997de0d59

SHA256
243c139c54817f2e10751c48895848abd16f9e3c73babae1a09db15804682546

SHA512
f1b7d29c9ee6ad04d70a10f87661db059b0bd51f62d2e0363c73922919c7750c69c8024af0e5712a0efe511bc72f4998dbef0ea6ed56d7bb9242834755866683

Download Submit
memory/1972-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1972-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download