c00a5711e33b13fbaf868a8a7d3ffef936b2f44c831814206ec473df40990b79

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c590688de8ea598f6d1e7cc7699c9c0N.exe
Size

21KB
MD5

9c590688de8ea598f6d1e7cc7699c9c0
SHA1

3d645312106d75ea7b6250d8a0870833fedbd1ae
SHA256

c00a5711e33b13fbaf868a8a7d3ffef936b2f44c831814206ec473df40990b79
SHA512

d552c9b4cec56af68381c5f761b6e4d1e42fb1fe3820df786b1668b3c9ca5ba29b337bca92d221b46963332693e7a60a088d766e6096bbfd970817f4601ff8a2
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcv9c34UD+34UDnVuQVO/IO/L:kBT37CPKKdJJcu34N34mVuRhL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012286-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2892-48-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	9c590688de8ea598f6d1e7cc7699c9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c590688de8ea598f6d1e7cc7699c9c0N.exe

C:\Users\Admin\AppData\Local\Temp\9c590688de8ea598f6d1e7cc7699c9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9c590688de8ea598f6d1e7cc7699c9c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
21KB

MD5
98011a1f0a70e4bc95b19ddb35b9cd01

SHA1
3af3b824337d97b140a7e4f90decedf89a36fca9

SHA256
7944abde61b4fbab26fc0804d60714a56e63378a508723c47bf65891ff18fc19

SHA512
cbb149011ef8436fe42e8c03d1c651816ed009f8815d12f8572704395e503ee99fb755d414aa4f4232b1dff17986fe7b4e3c1734c104ce7a2af375f6b88e102f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
30KB

MD5
3d9f7b264c6fd7092038c9f39e10d1f8

SHA1
aefa19006d4334517f88a69a1b60a0dc3746bc6f

SHA256
bd14310a9b6444d261360c8dd2887e7ed415ab431cf9e9bfa38e762c0bb0dcc6

SHA512
3a4c2137c8552310c6171b9fec76733e291370fc8ebcf4cd538286d7250c82d86c9be201227e6073b1bcdcad5aaef8cc709a778431887029730b822e8b16aac2

Download Submit
memory/2892-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2892-48-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download