575ea6ac6dab3074b6015ba8a2fac9eaea523fd1f5cf9e64232cde9dc3323fdb

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf62cb5c6c5359786dc639abfc32a9c0N.exe
Size

75KB
MD5

bf62cb5c6c5359786dc639abfc32a9c0
SHA1

83f6c6a8d3a4562ceeaf0e50cfcc4da050ec5ef8
SHA256

575ea6ac6dab3074b6015ba8a2fac9eaea523fd1f5cf9e64232cde9dc3323fdb
SHA512

0c0754cf7f76060f05ebe3eefeb1346a976c8cc019ffa9fe2c9b8d6dea0f30e8fe77f1d3cd16050bf87d774797b9e7ae480f7c459972a00871f750eb6c90e08f
SSDEEP

1536:V7Zf/FAxTWoJJZENTBb7dsXDZklYGCYusule9v:fny1tED7dsXDZklYGCYusulq

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3096) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012031-2.dat	upx
behavioral1/files/0x00020000000104f5-6.dat	upx
behavioral1/memory/2724-650-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\desktop.ini.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\bin\glass.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Sitka.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\alt-rt.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\SaveResolve.vsx.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	bf62cb5c6c5359786dc639abfc32a9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf62cb5c6c5359786dc639abfc32a9c0N.exe

C:\Users\Admin\AppData\Local\Temp\bf62cb5c6c5359786dc639abfc32a9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\bf62cb5c6c5359786dc639abfc32a9c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
76KB

MD5
808dad17db7036157297772427bc868e

SHA1
1142914d66de4183c9cb20eb2a065847489c848b

SHA256
8f44ec89589efaf6ae3f5e3cc36f9fe42066721936ebab81bdab1c996834fc6b

SHA512
72b2ac19f95c189ea11cea1329e712f84bcb02f0f02059e3dd0d066f8eaf91bb488af4ef577d0ce23ccb6e95781f7515b76df744ef9749935dc094a195c3d163

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
85KB

MD5
d3953484063729fa04acd63dac666a48

SHA1
a5b66acb646d1be5695cbaa9ba8d43481a598661

SHA256
767134c210cc4d1d0159285a52e9cb55f3e9df85bf3696cd57cc49433d013740

SHA512
6eba3f9fd796b13962453d84d5102c2a9d49cacfb4a03e3f9c80e8b50c1b1f920933f79e2541c28147c76bd997096f02e30f9b4773b04a3f1a5bbf9e6d4b2664

Download Submit
memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-650-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download