c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
Size

37KB
MD5

e016d0704365f75ffa74413b2b08f2f8
SHA1

52a3ed175c254e05bb2edcc596ba2476cfe7b3d7
SHA256

c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a
SHA512

fe3ac902de7133650e5577da8b7af3c982c03421c62687cd065e06383b12dce456eb7eed622c6bbb7fafaaac1240efcc49183912c6ebd2a1e83bee05bd628373
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMdd:CTWUnMdyGdylT6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3832) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b00000001202f-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/2136-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\sbdrop.dll.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.dtd.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextService.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Journal\de-DE\Journal.exe.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnscfg.exe.mui.tmp	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe

C:\Users\Admin\AppData\Local\Temp\c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe
"C:\Users\Admin\AppData\Local\Temp\c233a61539d0fd8c3c4903ec50003d9ec03162840a43a7f5da78e61082360f8a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
37KB

MD5
3cacb151bcc0b91b6ef7f06521cc301b

SHA1
9c4bbf41b87de5b17af32bd043f8db4d7f3ad3c6

SHA256
d6c0e14abe1701b2c51cb4291db56afe5f7ee199792cea293e7f3c4689f03170

SHA512
341e9507058b0624f2028d016514d06b570a09d7dd778f1d3e1c28dd803fde702b8965fd43111fab20dafef89d92d588c1eecc706b60e59803110aad5e747076

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
dafbd0d0f42d575b6fa96c67a268dd2b

SHA1
20a0750bb3ac39dfafd6a2e93f43b6c14690ceff

SHA256
730e5d828bb78b20ed75fdac8d83a9af464f0e9cdacfda239c1cc7bf6582d33f

SHA512
954d066a1737b31d8024e65bd13a0e9a0ae1a5b8f62f6fafb71f0c90d39ab26092c11c6691a26f5b3e3e3442b465b0cf1ea5b305a3b00394690fd4668472499d

Download Submit
memory/2136-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2136-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download