e5126287a1c716d6952e5caed96327ab47bddb93b9ea9e3bf9d578673768cb81

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfdb18691ee1ae51b1c0c717910b830N.exe
Size

73KB
MD5

bbfdb18691ee1ae51b1c0c717910b830
SHA1

088861bfc3256a858bd90ad7493ed437271ef9b7
SHA256

e5126287a1c716d6952e5caed96327ab47bddb93b9ea9e3bf9d578673768cb81
SHA512

4bff83fe3a7b3b5fdd875f57bb38ba6f42c15281bfdf46101eedd00040a81e03e2e1ed7f728bde88bcb8149c90170a19d8d3baa817497ec24cc7dc1e3e3fdca2
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxxD2Q:fnyiQSoxQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1705) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012116-2.dat	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/1832-126-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DenyGroup.otf.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	bbfdb18691ee1ae51b1c0c717910b830N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfdb18691ee1ae51b1c0c717910b830N.exe

C:\Users\Admin\AppData\Local\Temp\bbfdb18691ee1ae51b1c0c717910b830N.exe
"C:\Users\Admin\AppData\Local\Temp\bbfdb18691ee1ae51b1c0c717910b830N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
73KB

MD5
4613cfb787fd0eb6d9292adbd71f4d6d

SHA1
ba412e22f762aeb261cdfca7ebc5e4849ec4ef7e

SHA256
39b9ab482212fcdb17607fa64c7c582b74fa8c06804a06f18e0e3b47422559a3

SHA512
d88ff039ded602d7d7eab00e4ef45715c5cf1d047d5059b410351e31c8fa7a374a19628e652ffa0b096311481601d5da9db7ef2b9e1c063aa60a52479fb57df9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
82KB

MD5
5b4f9007f0632155003c1c2f63524e08

SHA1
167961dbc900caf9a1eaf87f22432bbcd5dcc779

SHA256
cc2e9722591a2ebbdc2cb5ce6b3a39bec1a30ad62d3d0f1e808ea2f476e01151

SHA512
b610e4f24189a202467438553a86ffb75500cf4443c1637c2dd14e585d5d6fbea1061285e6cae96405a63cf47afc3f561f357b2719796aec968f6058402230dc

Download Submit
memory/1832-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1832-126-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download