fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
Size

31KB
MD5

30e854b0edf4bc5dc062a42707c7f9af
SHA1

ea141b38ff3ad4edebdac9622c63991be45219e9
SHA256

fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc
SHA512

73b7527c0735861e65e61b67a14ea3aae09b13b1bab92f4d1fc10d487bf6694b7be2f59bd260f41cc512ec096920fb6a4b37b1ffe71078cd1d2ca61561d80ebe
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyIHAJvHAJLMF/XqsGDGX:CTW7JJZENTNy3Z

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0004000000017801-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2112-26-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\EditRestore.wax.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe

C:\Users\Admin\AppData\Local\Temp\fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe
"C:\Users\Admin\AppData\Local\Temp\fa91910a364d0f77527953ab5bf42ebaf877fbd7b7bf10f927c79438e05d0ebc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
31KB

MD5
5f0a6933523181146f6e43c5e36b551e

SHA1
c36b35f000d81819e685f82953443047c89200e2

SHA256
55da13dafd78880477859abab0e44e86ed59a909f8b9a6a7bdba7be9cd7d4bdf

SHA512
65c1c0a2cad4819cb53ab080ffab70da73a56638aecf6220e0f63fc2500c3e5b933f6135668f72a604d5ed59f8710caec8ef72caf23145f100025d76fb405f74

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
40KB

MD5
5b2941b8cee7f1463b855a27aa3f9e70

SHA1
9c675fd40257dc3a83055ab7b2a54f7b8b9617cc

SHA256
1fb9976fd6460e81443058e20d073a2fd2f3bdd715cae95261ca51cde2bb2cd5

SHA512
50ce39c8157122cbfb4d54a97ed1c69516a0533ab319643352b006218f3cf0d0872815f0c79ad3ad224627f4248d45c320cfd1931c30bf717a9e0ef97edba651

Download Submit
memory/2112-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2112-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download