0b7e1db48e0507fe01e1d86918116ef9dbae0421684b43fcd467e72b70d27c5f

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1008435fc090c6d09831649ad4172d70N.exe
Size

64KB
MD5

1008435fc090c6d09831649ad4172d70
SHA1

7fbb8903aa1a20781168591b128abc3b6ed5bb08
SHA256

0b7e1db48e0507fe01e1d86918116ef9dbae0421684b43fcd467e72b70d27c5f
SHA512

f4a60f37fbd1cae590bfe96a73e0f5e4588877edc579be06896de75b8523e5674082008731343f6731084508bc7bc817c49f50596dbe1bbd8dc7187c3a4fab72
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8IZv2v+6o:KQSo7Zv2va

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (590) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00080000000120fb-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2680-48-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.tmp	1008435fc090c6d09831649ad4172d70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	1008435fc090c6d09831649ad4172d70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1008435fc090c6d09831649ad4172d70N.exe

C:\Users\Admin\AppData\Local\Temp\1008435fc090c6d09831649ad4172d70N.exe
"C:\Users\Admin\AppData\Local\Temp\1008435fc090c6d09831649ad4172d70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
64KB

MD5
66dbb6ab7948ea871dd6e9e88f2c349e

SHA1
af7a80b614c664b819a58ee88f1566b81b4a5ab5

SHA256
e672b1b21cb69cb776833c41a039deee6675d229ed287275131e73977e9d6f14

SHA512
1f40f0f0f3427cfd9565449b9aba6bfec91f78dd1d4be5a9d81633df35d7635daef1d9eaa10890af6d3f1e8b5a65603a3086ca3cda65262d7e212a5f8230911b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
73KB

MD5
e15b5f5be0c5628e6aed43fba9e5bf38

SHA1
50491c7e0b1edf4c05fffe29bd8430b19f67541f

SHA256
1225f5b39c8bd0cda04e7ee79e85d068135487b1f30a499c7942f478e16121c3

SHA512
05c4bf0d0f1f040f1b2e22c17f7503af48987886690b77697356f5fc25b9a6e577940bd0c04150159755ebd065f2bed23b616b8b0d77dc467f1e92e85feb098f

Download Submit
memory/2680-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2680-48-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download