960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
Size

51KB
MD5

90a77ed6a065d9efb835c08fe83bfbdc
SHA1

20ad5a0e840ad9b6cdc6215b9c055b68603f73b8
SHA256

960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4
SHA512

b38642106aa3fe42b54e309610872dd87fbd2b36c2fe95c7148cee10249cb72a325e20823731acf18b14a0da6b73ee722eb524b1eb521ceb21b011728ed194d0
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9f/Gum/Guv:V7Zf/FAxTWoJJ7TA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3820) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018718-2.dat	upx
behavioral1/memory/552-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0002000000010622-6.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\bin\zip.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\ExportCompress.ADTS.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\HxRuntime.HxS.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.tmp	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe

C:\Users\Admin\AppData\Local\Temp\960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe
"C:\Users\Admin\AppData\Local\Temp\960ee2a99a684fc03d99e37d073f30dd30917849b3a4944b2cc55ee55d2ae3c4.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
51KB

MD5
6f106cd62ae746da17cafeb5df7688e1

SHA1
c047805e3323c862a63b49b4c7a6a84fe249091f

SHA256
c2e38a2af19cd9af6fbd7a5d21544ad40aa60881facd33d99507c73a107f9dde

SHA512
d70542df3be778e75601a15c7421f0ab05c8e7c4e46bfded3ed7bbc013b2b5db4d9bc21d540e2a0c3ef8557cde65c3bdf35341b76b7d291ade961abfef7e1b73

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
60KB

MD5
d2776f2d7510a4834cd1155c28033f89

SHA1
95f309a8da654c447972b9e4fd2700b31e236c5d

SHA256
9a421e91ecadaa7619a208471311b454a9c99f5bc39fbe5b6858b34fd9ac7bed

SHA512
d324ae38310da8980e3ff40b5dd80978810b7b1423050e166f71a963407a11ae3662e88c6d1855a056110924195efc2b7fd817551fe935b8df6852064b3711fd

Download Submit
memory/552-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download