b0171e97bfb1c137b52484e17150a0fd178f8922e23d99c3013bad12d54456e6

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 05:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa9df6b1848c875360521a9f1c94e740N.exe
Size

34KB
MD5

fa9df6b1848c875360521a9f1c94e740
SHA1

8c4165d7c529b5a6f0607ab31b6d88ff21be2b2d
SHA256

b0171e97bfb1c137b52484e17150a0fd178f8922e23d99c3013bad12d54456e6
SHA512

3c15e29eec0af0ca14b24e21662472b85ed3f5288922d2200c4c7555b344fbeb168dfd2a562e206739c38b05eb1844f295d172023bfa4b56570575ca2a6a9f5a
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKvhp:CTW7JJZENTNyoKIKP

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3284) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2728-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012031-2.dat	upx
behavioral1/files/0x00020000000104f5-6.dat	upx
behavioral1/memory/2728-86-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp	fa9df6b1848c875360521a9f1c94e740N.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	fa9df6b1848c875360521a9f1c94e740N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9df6b1848c875360521a9f1c94e740N.exe

C:\Users\Admin\AppData\Local\Temp\fa9df6b1848c875360521a9f1c94e740N.exe
"C:\Users\Admin\AppData\Local\Temp\fa9df6b1848c875360521a9f1c94e740N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
35KB

MD5
65cbc38199d65941f2a6062417bfde02

SHA1
0c2de3ca17135a5274988a0e0d11e36c45d9eaf1

SHA256
deb6bf193c6a596c84d6753588780a43b4b8295fb85cae7833b1c44eb8338f29

SHA512
163a80e9643ecc3d59cda942b3c41297a23ad2c4a5eb898b8ab1a245793589e8231c5490cf368ee4d3898f0401bef813a4bcc4043933e808d5c31a467ab6b198

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
44KB

MD5
6ad52c4ff42689acd15cf151870457e9

SHA1
4ec929d3615700c7dee34e1d629ed80555a64202

SHA256
9100c577fbbc095d169841aad656facc19b34c675f8acfa5e3f49fdb0f2c4faf

SHA512
c4ae9d587107874ae969b4e0e1e0eaf374da39c3d98ca7f99bdf0c88e35816faa04c2785f333e52ddf5d3a08c3323e785908be7fef7bc1e9256ee31bfb0a3d87

Download Submit
memory/2728-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2728-86-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download