78a3728acaee97ea503f9ecaf77b49c077c6f8a6a64c5b8f38e32e6230bdb07e

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aa0d07800ee4306b1647da5f2c72640N.exe
Size

80KB
MD5

0aa0d07800ee4306b1647da5f2c72640
SHA1

80eabfe6b4f52b97318be9f72af53e65a2de65a6
SHA256

78a3728acaee97ea503f9ecaf77b49c077c6f8a6a64c5b8f38e32e6230bdb07e
SHA512

b873db5d41aa87a285b8c718e2e9d5b53bd486283583c7837dcfdf9b5e9b8007068ef9b27f1fff0ead033ab709c01230267b8733937042be1c73bbc9c677cb0c
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZR9TZi9TZ2:fnyiQSo7ZTZcZ2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3125) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-2.dat	upx
behavioral1/files/0x0002000000010663-6.dat	upx
behavioral1/memory/2764-654-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\New_Skins.url.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Thule.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	0aa0d07800ee4306b1647da5f2c72640N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aa0d07800ee4306b1647da5f2c72640N.exe

C:\Users\Admin\AppData\Local\Temp\0aa0d07800ee4306b1647da5f2c72640N.exe
"C:\Users\Admin\AppData\Local\Temp\0aa0d07800ee4306b1647da5f2c72640N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
80KB

MD5
af86efdbd0150f6e35d49dd3d4e9ff4d

SHA1
821f47d9cb7f0bd0b7070fba25acb53eb71440aa

SHA256
e3cefc98e7ee7bd9891a33e4de6f673e74c5dc3e15e5d7cdf470997fe6781bf4

SHA512
e3cd39cbfc473a0877437a7d7acb2bbf73e19d8d1f51f2d9f3420aa71986817efa5ce06bf8633b0fef341541ac78e17ec78be45653db171fe61dda497da73dfd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
3c7e395d35afd924bd8de9047f9635de

SHA1
08c9fbbd0607f65bc0d285a28a84529fe4acd772

SHA256
9d87d69cf790a81377279fe2466974e018f7410c27fbc8587b890cfe0991b1f3

SHA512
035137ee61bcc823fb1effdc1cf97158840f5ffd2cbe24d3e137833408ea63e7bfb408b9b602740f16edfa280e2affd0ba005c27c3dd4f67c04596d829b008dc

Download Submit
memory/2764-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2764-654-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download