c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
Size

111KB
MD5

774ecb74cee5d2341ddb8254927292ae
SHA1

d6a269836cf440486411ce94ccff7e20e7517f4e
SHA256

c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214
SHA512

9e9c560463d6717b3cd2f72b7bf23de6ff950f6f25e85553f60833177a5e06cf014079613df8623780d116278cf0a65a7ae86bba3d547d72b79172c0447a77ea
SSDEEP

1536:V7Zf/FAxTWtnMdyGdy4AnAFTWUnMdyGdy4AnA6mI:fnyGnpAbnpAQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3473) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/2168-652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jre7\bin\server\classes.jsa.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Mail\wabimp.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
File created	C:\Program Files\Java\jre7\bin\jli.dll.tmp	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe

C:\Users\Admin\AppData\Local\Temp\c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe
"C:\Users\Admin\AppData\Local\Temp\c96f9eb7ab53db8c4814420f65874a1a48a0c7580120d7442d0f774e30818214.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
111KB

MD5
e34034ba17ec22bb517db383e211f8eb

SHA1
9a81d1e43b1f6c54f6c142dba77900fc6b33d1a9

SHA256
4cab92b16ac8c58b9eca152a933222bccfde2324554a1b09edc1582c17a05939

SHA512
588c6b9110a796a55938465f5da072a87c6a0b3b186206ffad7a5cff2ab366d27de5533b4552a05dfeb8788e950aecd8ae187484d16f20cca6697aa99c0976e9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
120KB

MD5
0bcffbe1eeaa1aed3c28d31862d05083

SHA1
68d14db5e5da679e9e2d3604b8423b992300d468

SHA256
b546ebc03b5f305fa74f53d49e8cb4189f5da03d98a2c2322e5035ccbf3887f1

SHA512
ccc1cfa9f007edd24482492f1c43f180f52efb35618c23e73d92487db07b62efaa7de8357bd76f78256cf2252da1a51fbaafb5f4e1ab79c259f70e7d02c606a5

Download Submit
memory/2168-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2168-652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download