07551474a3d5deb5c593e8eb2fa36b69f919e22c43fe7d464c127e30ccf01725

Analysis

max time kernel
118s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
Size

57KB
MD5

4e02ec3338e9f3ce79d9bf0bf7fbfb40
SHA1

5096d259d8ed2dc4c1b03e5b4285dee26d7f6f4f
SHA256

07551474a3d5deb5c593e8eb2fa36b69f919e22c43fe7d464c127e30ccf01725
SHA512

c06e86e54f412952eb65d873acb78fc12e1be47bd7695b907a7fd0cffa61d881d7e84f548cad52bda2750a6506b4077843c04778d69e1a024982561ded95d7d8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2r/:V7Zf/FAxTWdiE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2704) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000700000001211b-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/1756-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\bin\jli.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\README.html.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.bfc.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\DVD Maker\Shared\Parity.fx.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe

C:\Users\Admin\AppData\Local\Temp\4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe
"C:\Users\Admin\AppData\Local\Temp\4e02ec3338e9f3ce79d9bf0bf7fbfb40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
57KB

MD5
dd9a81dc024038ea7d8e1ad73a5b4851

SHA1
b3566a646a8a40fdb2a3548d40730861b535c3c7

SHA256
0bfc6ff9131e3c4eed34d950606e8bcb0c8b87876381d4a384a6fe170441f44c

SHA512
fd0fd9cb69e8157bd60acaed877c0a435b86f6989a15acf75625b7bcd278f09a6408285075139aeeb0decb7881c86fdca3d031127139ccb83a29c9775fbafa60

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
66KB

MD5
ea076638c2ef21d5f843ebb976802828

SHA1
794fad78920e9c9e2165d23ceeb98d6a0fbe8b40

SHA256
accafc6cb85871630462604f64cc60d7f586be4e0611736f0a79ba7f22ee9445

SHA512
9499bbb71d98faedeb629026c7ba3698d688ed42fba448c3b6efa79f4812591f0b218ae19316feb4b67c1c6ddc64872e9565c612568d6c106f4d63c1770b6959

Download Submit
memory/1756-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1756-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download