44b9d67753a34158b49f242a1b7dbaf096f87109c68bc1f4ddafd2a893c5761c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627bf4a022080b46790d9a8eb01eccb0N.exe
Size

76KB
MD5

627bf4a022080b46790d9a8eb01eccb0
SHA1

4870ac41cbf72bb9348ded1d17fc6feac3a7bc81
SHA256

44b9d67753a34158b49f242a1b7dbaf096f87109c68bc1f4ddafd2a893c5761c
SHA512

f826d1d416b107654d86867a56b8c0284b543b47b804507a4bf1ad0d212f984efc7c5fb3ad3869f9f8131aecc2566160c45b36217991010df33ac490b4903572
SSDEEP

1536:V7Zf/FAxTWoJJZENTBb7dsXDZklYGCYusulXZemZeM:fny1tED7dsXDZklYGCYusulXZemZeM

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/1968-660-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Internet Explorer\ie9props.propdesc.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	627bf4a022080b46790d9a8eb01eccb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627bf4a022080b46790d9a8eb01eccb0N.exe

C:\Users\Admin\AppData\Local\Temp\627bf4a022080b46790d9a8eb01eccb0N.exe
"C:\Users\Admin\AppData\Local\Temp\627bf4a022080b46790d9a8eb01eccb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
76KB

MD5
38032ff0691fb1379eaf0e7410afd64b

SHA1
8db0a12783c53b54ac2a87a9eb349daae1ad90b8

SHA256
5e54a75996cb561997928a31338d357966d519a2d480aaeda3eb03e023a97608

SHA512
3c1e876224be2594a37e72d2c56d6bc4eb4c43299a0414a2e345314c6376284e8947665e10251e1d585c3a58178696cfd695c14393432fea5cac264329566a83

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
85KB

MD5
4b8b9be39f1577e3c12a879f56070f66

SHA1
1f4c626e3c4b3e69096a598f1f0c9174630d62af

SHA256
68ab7cab95cbcf078c875ea162c53bb3974c6b37387c734e23c43165f2217884

SHA512
fc5191d862763cb92d46450cb0588dfb76bee0b1781308d2cea182637624746f0c5742a6a38f259e650dd89f37070321423632a9993b2ba3a50698adce32927d

Download Submit
memory/1968-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1968-660-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download