def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
Size

61KB
MD5

d4dfde9d7cd93f7763e417f97f24b422
SHA1

c28e952f2a5e80ea32a17719e1d69c093f7b43d2
SHA256

def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789
SHA512

d0c05785633b0fa9b380cbf4def98ac8393b75b20e2e9f35e1cc4fdcbbfa9054960196b8a280c914f32ba7fa2c599e1bbef74208c93d5602e8b498ab4e6228c7
SSDEEP

1536:V7Zf/FAxTWoJJZENTNyl2Sm0mdnwNSB4QB4h:fny1tE42rnwNSB6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3730) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/1996-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\README.html.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe

C:\Users\Admin\AppData\Local\Temp\def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe
"C:\Users\Admin\AppData\Local\Temp\def2f6544842b0681d7d9e0c8113bbf37930e49bc285c4ac23dd5a788b665789.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
61KB

MD5
6d445cd7ae30ea9b3ba7ecb1e5f22e50

SHA1
c783cecd008c26e2ef959727f4db661bc656cf55

SHA256
4188c4e3b32bf8d427617f4fed71bdfbf5c28d2e38cb63ad29e82033fe890856

SHA512
6795f9980a0a8c529953c3fa90cf457f600f4338110429d7b647342bc63512a80c6d0066bbf3f25d33bdbf97c5c4e9ea8881d3f0f814af6c0b93be802bc5c68c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
70KB

MD5
b963f4403c15b96253c5d804d978a0a3

SHA1
e0acdfc4b4e9a5935169f33d33f39c9f374c09e1

SHA256
37a3f12a446abcaab89f1400855c68d942e8a596a0db7e910b374128f061d0db

SHA512
5b70abf6e63d98a989d6b2809b09c68ab80d833e74689fe5da64f60f165b5edc24fed84975323913f9c29b1d4309a6e33d1038c9aec21e303cbd3c72a56a7d75

Download Submit
memory/1996-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1996-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download