c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
Size

56KB
MD5

5d3fed6aec1e0d083f4ae26fa69a63e5
SHA1

bf1a3a1f45fdc91dd09c2a741bc77bcc008d14ca
SHA256

c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7
SHA512

19bb562404c39b62d120c99bd168418a1ca5bf5a6f9e0b40b73975d608414f0603f323ea4c51b974eae45eb8226a9032f76183becb83a0f9124896748077d4d4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rR:V7Zf/FAxTWgGpGPwL

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3745) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0004000000011ba2-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/2740-646-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe

C:\Users\Admin\AppData\Local\Temp\c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe
"C:\Users\Admin\AppData\Local\Temp\c9e6d0126551c606c7b1d851d67bf639e19cc7f778077cdc328893e7c65c1ae7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
57KB

MD5
6474a64590b22f4fd642faa9e9ac4ef7

SHA1
f7e37b5b6978d58ae6501544446901054b3c53a7

SHA256
fd7b5feaa05d57ea1275265e808202daca34d2345677d32c46b1101212c29ca6

SHA512
2d9b9c66175a17afef9e004eb6979617e58181361fbfde8108ef6b9d629f352e8b450db71a2badd55c2c670aa1a500224a31c2107b07cdde3878e1ee0517e7b8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
66KB

MD5
d95b558d579dc03c3d76bb2f2ae4b609

SHA1
53caf5a4df09e6ded919cef744ea7414a4961381

SHA256
8399ba1ec1d4bcb778f2d99cc4a2935a0fd067c3a30c021fde9f7b9e965818cd

SHA512
3bd4e58348ac602b266ef3e15413ecfd0e07ddd0ff502fcb809d79900ed7b69769839cae59caa86f62fc6e457fbb706dac2982e7e14ca0211e88c66019cad120

Download Submit
memory/2740-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2740-646-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download