f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
Size

69KB
MD5

c265caa3e7c712a0b9ec5e2c84b7343a
SHA1

9632cb36de06eb8cb48ec23702af9b4ea6524ff0
SHA256

f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416
SHA512

56141ab40af6ef53a17d441a861607e0d886f89a5597eca08e381ffe88626ff74f39c41283ec4e3bf38afc4361bc204ae56a8029ffd9cbe4884bb30a962f1dad
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fCR:enaypQSoskm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3560) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012118-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/1208-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\vlc.mo.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nome.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe

C:\Users\Admin\AppData\Local\Temp\f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe
"C:\Users\Admin\AppData\Local\Temp\f314b0f38469c1cc5742cd613ad3796b7231e6fcf15777bd9849ec57ce60f416.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
69KB

MD5
ab086b6bb74ed303c0a89749820ca3ef

SHA1
08cec82f2cbc00bb28e91cf0bd92bbd42c2299d4

SHA256
7ad9253a8bc65a2f0cd28de884c1f486d0741e1f772428c69dfef74e6a34da59

SHA512
bf914251989d4f81d3d273c8cfce1983eee3d3e43b6ab2f8dc41646b87a05091858c1eeb55d8a7b761ce74c1ad83f0a701de21fd95d7234de4639d00a8c525a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
78KB

MD5
5027c638bc9dc344bcae5a13855b8412

SHA1
1aaa75896e529ce0f661b85e6234fe67e8f23d57

SHA256
1ff1d13122ed505ac81b20d6415975f09dbf696c718e0dd2c8ffce1cef583a6a

SHA512
f64c7b2da8f78b95255bbca3a13f2059940c2aa9b65661787df221e39785c3b6e74bae710fed102d5de2a7422ab4499ab8807fea4129d916092d9b7876e3635f

Download Submit
memory/1208-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1208-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download