390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
Size

51KB
MD5

43e0c090d787bb7bcd08fd18ba1b44df
SHA1

852bfcb280b87dfd7eab3f7bb1b01fdfb1db2cd8
SHA256

390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5
SHA512

523fe4a09136e5cb3d7f8f0ab497217923f77880f35b200331c99b0fc98c9854e840029debda22cb2d2e1c0f1d7df63a43cd37658689686a121dc4ed677cae07
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyQYW:V7Zf/FAxTWoJJZENTNyQYW

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3787) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000700000001211b-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2820-658-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Mozilla Firefox\precomplete.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jre7\bin\jsdt.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png.tmp	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe

C:\Users\Admin\AppData\Local\Temp\390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe
"C:\Users\Admin\AppData\Local\Temp\390745009fa112715419c86b5742b4177b69fa5d9674bf23c0430c2341c465f5.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
52KB

MD5
d48bdab4b9b7313d9d22db5e38d65ecd

SHA1
a04493183bde7fc687952704dd486840ca0492c5

SHA256
966281ebd5f5fb4da6bb4b059341c56d87e7589d48972e0b4850f11606135458

SHA512
5fe3b6088b55566d5f0e7a4bb09876de7dd8ddb552b6012b69c324d7a4165e3dfb15e062594190b0d517e4722b72a2059d6020162c15f2e4a22db1e9297b0182

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
a39a530beac6d4897673f359b94ebf7a

SHA1
23735344be47f4c027529bea2ab9016f39343023

SHA256
660453bb4d2114a946c3d88f0603942656a9ae220a9c770b2cd0c9177e104d81

SHA512
53c29ff3a52d1ad012041847bb2cbc0657634baf76170af63e24938e0f4fec560a3c2427c65a111333c8cafbc354467cf94f42cc76241cca2f9d974fe45d071e

Download Submit
memory/2820-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2820-658-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download