bc9b420c553e244222f72596fa19c9e65c5055304288c07ab900862c38a238fb

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99df5398e3a96d12ac2532018977d430N.exe
Size

44KB
MD5

99df5398e3a96d12ac2532018977d430
SHA1

dbd0ad229d8f394276637208d067006bb914cd4d
SHA256

bc9b420c553e244222f72596fa19c9e65c5055304288c07ab900862c38a238fb
SHA512

57c86cfdccf63fed679eddbe6e97de595434a00584873d669550cf1f91adfba98cc5a663591130ee0536dfb59c6b3bfef236794dfb90b3f2dffeb5c60b8f4797
SSDEEP

384:FBt7Br5xjL2Kd5AsAoh6n5eaOlIBXDaU7CPKK0TIh6SjeYDTcYDTkZW8b8T:V7Blpf/FAK65euBT37CPKK0SjeQT

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120f1-2.dat	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/1512-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\ext\dnsns.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Internet Explorer\iedvtool.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\ext\meta-index.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\security\cacerts.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\zi\GMT.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	99df5398e3a96d12ac2532018977d430N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp	99df5398e3a96d12ac2532018977d430N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99df5398e3a96d12ac2532018977d430N.exe

C:\Users\Admin\AppData\Local\Temp\99df5398e3a96d12ac2532018977d430N.exe
"C:\Users\Admin\AppData\Local\Temp\99df5398e3a96d12ac2532018977d430N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
44KB

MD5
1d1eeabca0497a5dd1d4e7f7d45a3184

SHA1
1e97d9f7a9b33071dd591fd6d991807c3479b422

SHA256
41463cf7360de9cff4b8c6e02d1a9c5d4cd6d18cd34e9dadd8b9d9bea37a4a44

SHA512
5183abd147f21c755580e41971c3c6108c969d9d01706293be5215f80d43bcc09e0c809fdcf93cb9be78b9b61bfbc4ce24ebc42044279fd608b8610f40523509

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
b289cc7783014cfb5173514bd4a9c0bc

SHA1
8989877fd3da3738b051ee6d9138f862079663b3

SHA256
a13612cebc199a0b2f94cc85f116760507837bb214ff14f35a65e93415075571

SHA512
6660f2f7120e9d0022b47fa0f730d5c126db136bb77063d917b4dc4ac1db6f7e4e87fd1f39589591d03e812162497eee8794982d28948135e9d22ce8e4487314

Download Submit
memory/1512-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1512-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download