1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
Size

83KB
MD5

4367b48945b5c5176fc7ea4cc52c38fc
SHA1

77f5a19b0fcc8ce5077605d6a595b4c3a158dc24
SHA256

1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9
SHA512

df18cb4abd9277f9d3434dceea876fd16806eb54a3809bc1e317d6b1f5806541bb26cefa6cc0a9c3380a525a3c4b5e6f9008be98b136430ca64eb27fdb0615e3
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxQiKJAWJAC:fnyiQSop

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3497) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/628-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00070000000120fd-2.dat	upx
behavioral1/files/0x0003000000010330-6.dat	upx
behavioral1/memory/628-648-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Gaza.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\lib\flavormap.properties.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\bin\awt.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe

C:\Users\Admin\AppData\Local\Temp\1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe
"C:\Users\Admin\AppData\Local\Temp\1b770bcf965ba0580c878b0f6ed03c8e19548cc66fa32d570b906d7e7582b6c9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
83KB

MD5
e7637da98676ac908398b208632c6bba

SHA1
d222293bf318c2318685627d52ef62fa5fcacdcc

SHA256
e19b3e8c79a21fb90abe9cd414cebb9585fe7521ae71033613cd87d5057d5ee8

SHA512
3562b4fffdca348bf14f65a6dcc1654cccea275a3a0055a3c698ccec37d0fa39cf586494ca232015b0904e1bfe779156e36704cd593ff7edf1e16373a5eaaee2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
92KB

MD5
725205ddd57e877b5265c936d43d61c2

SHA1
8d29d8cf17a4878e01839395b549b96823d1d970

SHA256
1b40684e21e618999ebde812202ce36113636553393a360364e023347be30258

SHA512
69b54dce4daaaded9f50f86e8c5ddb81a95a884aae274e355373865a834efbbb06eaa7738da15a8525c9545e43eaaa98d7c468b35e13d21241a0c7617726d956

Download Submit
memory/628-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/628-648-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download