a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
Size

64KB
MD5

dad1b151fc88bbca383be5e48f2318d5
SHA1

a8b06ff88c935f20a2750d5e49680f3d415a5523
SHA256

a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d
SHA512

b5d0c277352fce3a1b32c5f6feb4e5832c4ba98a3f83e41db67eb1172e22b13b3a55a45cd92d103a50725cc13f88ea9bf7d9368270c5b4b947ff5867aab3e4c9
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFz6:CTWn1++PJHJXA/OsIZfzc3/Q8zxY51

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3748) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a000000012029-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/2632-78-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\lib\management-agent.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.tmp	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe

C:\Users\Admin\AppData\Local\Temp\a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe
"C:\Users\Admin\AppData\Local\Temp\a19250d4eed762b3f5a3a823ff56d147ce0555a7949365d698da4ddb95d9f75d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
64KB

MD5
2b26bea272191a933458c9fd10a71c9c

SHA1
116a993787f76576128008106db4c51f88a8a1b8

SHA256
bc3608a2645c173580d369c32180d3bebfc05c1ae71d1825599b4c4f7f7e9c72

SHA512
2719648e21cd5526c0ed5d93223248799db33300cbb063a53eebdf50d63fd795ae034d0e42b38bed5bca147ebd59d00144cdd8da645af0393b38c5a1b2254f33

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
73KB

MD5
f18bc6f4c441376112fe8af9858c41cc

SHA1
36c402d57a4dc246527e2fbc89078b7c279169a4

SHA256
b9438199f35036fefc22a2772856cf2a8f4abe8e5f8a20f0d92adc1a9c054a4e

SHA512
7233fedcc5771fe817ac88dd25083a6bfc6f8e1de60a69165b8c60579314d01b10e2761fad9c5122cbf9b07c8612c8b016588924220bf2bf03a25b1c7004184b

Download Submit
memory/2632-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2632-78-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download