1dccdda159c0652f4e26703e8ed4edd376bc39b9fa5283f2b3394dcd6d16ba48

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b76a57e1778626b3e13eef62892a670N.exe
Size

21KB
MD5

6b76a57e1778626b3e13eef62892a670
SHA1

ba85be1c8f134597f95d737678f9e6a86611352c
SHA256

1dccdda159c0652f4e26703e8ed4edd376bc39b9fa5283f2b3394dcd6d16ba48
SHA512

1a4c728bed750ff175cf0bd7f2e98ad3c6b5523c3351a141f7038a5a0ffd4a16d7c035d76cededa8323f5542e076a7968a29aee0919865d492df6dd9a5768f45
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcbQbf1Oti1JGBQOOiQJhAT17IU5c5r:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJV

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a000000012267-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/1872-86-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Barbados.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\wordpad.exe.mui.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev.tmp	6b76a57e1778626b3e13eef62892a670N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.tmp	6b76a57e1778626b3e13eef62892a670N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b76a57e1778626b3e13eef62892a670N.exe

C:\Users\Admin\AppData\Local\Temp\6b76a57e1778626b3e13eef62892a670N.exe
"C:\Users\Admin\AppData\Local\Temp\6b76a57e1778626b3e13eef62892a670N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
21KB

MD5
0fdc52f71ca6a7e132a6a456b07d623c

SHA1
8a7ab164158cf68bf76c2eb21815984191cd47a8

SHA256
2dbefd8deb1bfd60d607f56cffe1da51b4f1e85a9f35988a9a57b0391ef0739e

SHA512
d71c264ee0c4b8d3f8774ac558cc6445d6d05eb43a2a80075713b90a4d6ebf6558bba798aa711cbeb98aa7550ff0df0c75f4f0e41d5f455916d400994d28021d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
30KB

MD5
25568014574cd157d921a86adb648da7

SHA1
b92b3293ec2152b488725c9a9f7609759c3e210e

SHA256
754ebeb388d02e09e0c312abc92f7ed7e20be3aaf5bff1f25f2aa70e7c9bb717

SHA512
57faa16f87e1041461d73635ab6ccd0e3f256d61b416f2f2eead32f6ef3c740fbefbaa2ff224c89e94c5dcab07cbcd20e6993ef78b9aa9bf1c98cc50ddf5fc26

Download Submit
memory/1872-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1872-86-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download