d18453c10bf3c7116375d1fe26bf460e7d3b00660630d0f61a9fdb857e5637b5

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8e2a1ea79ba1693f935bd55903e010N.exe
Size

156KB
MD5

ad8e2a1ea79ba1693f935bd55903e010
SHA1

9b3ded06a76147ea742ed3ba5466422235c1022d
SHA256

d18453c10bf3c7116375d1fe26bf460e7d3b00660630d0f61a9fdb857e5637b5
SHA512

edd3d1acc2824c636dfe39f63d7e1de861bf866ddd297a413687a1477014b65112c8f5d5cfbe211d599cbc86bcb447464aaef8538408e7a8caa65030ad1f0502
SSDEEP

3072:fny1IKX5vcM3ZpCbYjBQqOPzrjz/Lwn5NWRDv/f6ETy7oY8:KjAsjSlTwn5ODVy7oY8

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2740) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00070000000120fe-2.dat	upx
behavioral1/files/0x0003000000010330-6.dat	upx
behavioral1/memory/2240-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Anchorage.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Java\jre7\COPYRIGHT.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp	ad8e2a1ea79ba1693f935bd55903e010N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8e2a1ea79ba1693f935bd55903e010N.exe

C:\Users\Admin\AppData\Local\Temp\ad8e2a1ea79ba1693f935bd55903e010N.exe
"C:\Users\Admin\AppData\Local\Temp\ad8e2a1ea79ba1693f935bd55903e010N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
156KB

MD5
e626494cc2288de57508ab094fe421be

SHA1
ef0c36a057c0a5c782c112c5bbaf99a6e2691667

SHA256
226f7d02ec75124861b7ab0a8b2096d1c4a584596ec92c8494ea1fbeab3e6836

SHA512
3d55b75894de7619d60b19d2c9aefacb32e84fea78b7c1ff8405f7e1d1505525f51660a49825468fbf9473782bd0c56de14da0221b534ec1fb19597bb2bb647b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
165KB

MD5
bb95833b6e0781368a9dda7f415da3f3

SHA1
bed302823714e164d2c6323ae39d5c908ac43643

SHA256
698b55e25fa112c00965721506f6348e13a4b9d3b89b61906bc2ea4abc8ea791

SHA512
b5c75139f93aabf0ac46ccf32b7fa98a109b903a14347dd4be1919013b8aff160672f9f1c5b2e868fbe145c2ec67df40181c81a06ce9666e261319ce2f2811f7

Download Submit
memory/2240-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2240-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download