29b0907d51e77ed4a1889c32e0f9b036534972c54be4be0c991ca308004ca0f9

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 04:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc96301bee7c13bbc4dba4cfc5763dc0N.exe
Size

24KB
MD5

bc96301bee7c13bbc4dba4cfc5763dc0
SHA1

977a85cefd1e00f4c7ffe546726da2d87408fa0a
SHA256

29b0907d51e77ed4a1889c32e0f9b036534972c54be4be0c991ca308004ca0f9
SHA512

ec82a63e350ad4ead9f3547a56546d8c805e58362cdda0a0237dc2dc6ff01dcf6e726b4db86af0aa8fc8c9196d57d424d121362093ca62c26204955f5c43d990
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9dPdPr:CTW7JJ7TfFj

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3267) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a000000012283-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2732-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\VideoLAN\VLC\libvlc.dll.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	bc96301bee7c13bbc4dba4cfc5763dc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc96301bee7c13bbc4dba4cfc5763dc0N.exe

C:\Users\Admin\AppData\Local\Temp\bc96301bee7c13bbc4dba4cfc5763dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\bc96301bee7c13bbc4dba4cfc5763dc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
24KB

MD5
a5892f4ab4f31ceaf26282f3a87aab46

SHA1
d1a94e7b59d3c4f15c31e67c92eb0304cc0c988c

SHA256
f87f8e533f211d86809e30ce468583662c53f5545229935b1dd583c4401c591f

SHA512
673c0a8e3a51a19e74ad6fc335d1bd89606833313a0ba0bb88bcb30fdef6bfed916a754dcbd0f002c408188ac438f7d5f308d4d9a16d944eb998392af06e76d6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
33KB

MD5
f050addcdfaccc75d0b675f5ed1ab84a

SHA1
18f79fe51d4b51f808f455f64f8537eb7c05d768

SHA256
5a19f45a5571bbb58e8bd6ffb56ff51cdd4fe7ccf6cfee32458fee2c0bef73a9

SHA512
8f484071b45eb73ec11ede1d9d0f42de55ec70aa3cae27609b50bd0452efa32014c8dd116a2609eacee4aa255d072220268f14f2831c3995a6d0dbb06b7abaaf

Download Submit
memory/2732-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2732-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download