b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
Size

47KB
MD5

f2d39ad966711d126a44b2eb1176e02a
SHA1

1d3514a230447faadff388194b6c6da53d0682dd
SHA256

b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68
SHA512

277f7f0c90745e1c5c07f11e219c338d590785b63bcfa8bfb9d51cbae323c602ded40b5bb7341d5a88ead0b5ab0d3ad304b47a64750af0faa76d2473390f8e5e
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJXGiXZqVnHW:V7Zf/FAxTWoJJXUVnHW

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3747) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2384-650-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jre7\bin\java_crw_demo.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Journal\Journal.exe.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui.tmp	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe

C:\Users\Admin\AppData\Local\Temp\b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe
"C:\Users\Admin\AppData\Local\Temp\b0e4d400b30591bbe189238c3a5ce8b871cb520e409f44344caf338492e45b68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
47KB

MD5
6bbe115b3458b328d976fc8c50dc27d8

SHA1
5a93450133c7b10f60b20c28af4c406a2941cb0e

SHA256
ab757e186b782a1c980438c6ef7bc7c146a898c814e745eb5d420a846130e235

SHA512
f4203bf92b31887235334cb06a2a039bfb5f6f85d3e2e0d4ed7f1d35becfd13d503cb013f658920af30569502068c2449f89466afb18cfd9aa2b0dc0f46822a3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
56KB

MD5
a0901b15e5ca9a3bf5e809306f027a6b

SHA1
a396368a7e72ff30764502367176d05c5838abc3

SHA256
0121f2240acee69fe1a1dd0b0ce1aa2fb69bc660cc4bccf59921e5f7a4240009

SHA512
ee4c01d081b7355f02e2927df4bb28a18f428c9445e4f8df404c9c2ec490973b9c75548a4210ae9e9f5b7f4ad4000d868e7a58cd2bec7ff45716c7273a2ed3b8

Download Submit
memory/2384-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2384-650-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download