1aba43ffbffe2aaa82a4ac7ba964b797731530c767b52d35185c356436432e66

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e958c9f6addd0589bb5175aa3cdf10N.exe
Size

147KB
MD5

78e958c9f6addd0589bb5175aa3cdf10
SHA1

4b446c0ffe961c406a9f9add30dd66f63335a2e2
SHA256

1aba43ffbffe2aaa82a4ac7ba964b797731530c767b52d35185c356436432e66
SHA512

fc4b06c9dc6b0debf4d9fa196c0c5ad40b0c86e72a68dd021ea0f31aeedcf43f486f1a2a2eada4297765bec54ca4a2aa198ff71bd6505beaa3ad2a0fd2109dd0
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZf2XcqvWTWn1++PJHJXA/OsIZfzc3/0:fnyiQSo7Zf2XGQSo7Zf2XS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2851) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012115-2.dat	upx
behavioral1/memory/2700-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/2700-644-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.bfc.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\README.txt.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\desktop.ini.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\DVD Maker\Shared\Parity.fx.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Martinique.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jre7\lib\calendars.properties.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp	78e958c9f6addd0589bb5175aa3cdf10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78e958c9f6addd0589bb5175aa3cdf10N.exe

C:\Users\Admin\AppData\Local\Temp\78e958c9f6addd0589bb5175aa3cdf10N.exe
"C:\Users\Admin\AppData\Local\Temp\78e958c9f6addd0589bb5175aa3cdf10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
147KB

MD5
cbd6d97dd6a6081635c0b2203681a5b9

SHA1
ab460bbe891babaf1607cc06c436751b41e0ea8d

SHA256
e5f6cfe6f23e747bb72647d0f6483cb191334602dcedbe051929601fcb8d49fc

SHA512
eac3c361da40f27c8db3e7793b292cde5fe56dd66da72d2c0c325a4bf3f37211c2d798b076f62e6baed3c643770dae695fda2874e2430382928482398e7d5bdf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
156KB

MD5
0bc1a427736e8f16f4848c8ab525192f

SHA1
3d5ceb50cd4273d31e95166cce7e14b198877cf2

SHA256
71b9afe67174f49b5fbbdff5c506233700a8b6c0f043511d71f169d069eefcd7

SHA512
1c3360305624e11231f6e4a7a32e11a82869e02fff2e3feb5ce161b47fa1eb80a5399c99f5f7af72e5028b50fd22195e3854752890823eef30c70a8b0cb41020

Download Submit
memory/2700-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2700-644-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download