edf40fa9eea084eaf7376d6da88dc959ba247a2bdf2fa5a3859b0bc312a18084

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055724e070b10f9937e3509b718b2aa0N.exe
Size

56KB
MD5

055724e070b10f9937e3509b718b2aa0
SHA1

eaf5fe1b0f87d1915f3fdcad0c8f96acf649bcc1
SHA256

edf40fa9eea084eaf7376d6da88dc959ba247a2bdf2fa5a3859b0bc312a18084
SHA512

aa65e15930441fb6370e492a0628b351ca7194038e9289b7dff55d304f1853747ffc4ad9677189607282460a55f442d1d00a25cba072bd3aa21c88bee2e341ff
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mKV:V7Zf/FAxTWoJJZENTNyl2Sm0ma

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3296) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000018710-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2088-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Inuvik.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	055724e070b10f9937e3509b718b2aa0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	055724e070b10f9937e3509b718b2aa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	055724e070b10f9937e3509b718b2aa0N.exe

C:\Users\Admin\AppData\Local\Temp\055724e070b10f9937e3509b718b2aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\055724e070b10f9937e3509b718b2aa0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
56KB

MD5
0643d08e02845490f1c736d596777053

SHA1
72ee482eb67884b38d63acf2a92d8ae5a28bc9d8

SHA256
f108529fe6c08b2a6d95b49bda67c43e6dadd14ee97f3816560ef01f9353a74d

SHA512
88a78e63f15e2975463d639300519d38a12d6d1e5fb6035dbdc2a140dfd1744a0e6005d855e397f315bc97284e3f8b5a2bb5b8d8285cefb85f06084cd398d67d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
65KB

MD5
db880116accdad00076c3b321dc75aad

SHA1
3eb63d5e4765b9d08a72da827efb4f63360b5da5

SHA256
e91bf6c53ac402b0b1ebd33548e7624cfb33b3dac0b16732bc5612ff0c9d7826

SHA512
7fb517989e50e595de7ee931c3e8f320fbe232020dd748f18c928037e743aa34b1139d87d910a06c8d0085fd190233cada687156e80a0d74f750f23148404562

Download Submit
memory/2088-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2088-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download