0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
Size

28KB
MD5

937d7cf40d42230e78c07baf8a84b0ee
SHA1

3d72f9b3f0582f744d6fb74aff28aa0bf1b97a33
SHA256

0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac
SHA512

f1b37d6b197aa33c9ffc8fce4a98d6dcdd1b782e92840d97bbe5fdb399befba618511e36f426fb58ccb6aca5cdd04ceacf6ea73e804119c4c05f5e8c0d868fb4
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9NNgNR:CTW7JJ7TzNgNR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3756) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012279-2.dat	upx
behavioral1/files/0x000f00000001045a-6.dat	upx
behavioral1/memory/2452-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Perth.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\lib\charsets.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST5EDT.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Internet Explorer\F12.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe

C:\Users\Admin\AppData\Local\Temp\0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe
"C:\Users\Admin\AppData\Local\Temp\0cdee55b1412f41442a307c397ec22aae0118979819b37855b1d68f3d6a987ac.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
29KB

MD5
87a4673c8390135bedc723a36b218311

SHA1
4ac92327d5d4ae38fd56d08b8c7a6fc4070b9127

SHA256
cc598256f82d87eb5bacd4fd4e637addc7a422ae9372ced2b98a9af663ad454a

SHA512
42a12a30acb003b0b0dc2aaab0bc0018c4b33551a1f106771e9b2d5c25bf9fa6caf3daf406e076e8f12bdd304639fb76ca8884cbff88cfab8af762ffcd23969c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
38KB

MD5
b0fc8b9b2f21b04e476465ea7b15b51c

SHA1
aeb77955ac3d19146ae85da9c0cebcd170803bd8

SHA256
d9ed12bb004d92212a6f91c5f75ef873df762289ed32b261f513b22b8a547a93

SHA512
fa34ccad745d82ac44aa3a37beeeca8cee892ae6f5cfa538234f882ad44aeba3c0bbcc379c9a3372afe8c5222501c8eea2e9b8f03ef0c36d270958ae97472d7a

Download Submit
memory/2452-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2452-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download