c2a61e77e73aaa9cf88b32e2044bdd36ae319587b4aa143e864f1b1f1625a5d7

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 16:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8742f667213551f5eea4c71179627e30N.exe
Size

82KB
MD5

8742f667213551f5eea4c71179627e30
SHA1

ec40cc0e3b854df64fc8c446c0cc49053fb46168
SHA256

c2a61e77e73aaa9cf88b32e2044bdd36ae319587b4aa143e864f1b1f1625a5d7
SHA512

5918c2d42e00430722d5104bc8ed15ce00abc2ef547034bc14e5fed05d8d580b8f543dca57a7cdc17f1ec4db160caea3bec2b612a5d6589f3d91b9b758c6a02c
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZR9TZi9TZG:fnyiQSo7ZTZcZG

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2540-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EET.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\bin\dcpr.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\VideoLAN\VLC\Documentation.url.tmp	8742f667213551f5eea4c71179627e30N.exe
File created	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp	8742f667213551f5eea4c71179627e30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8742f667213551f5eea4c71179627e30N.exe

C:\Users\Admin\AppData\Local\Temp\8742f667213551f5eea4c71179627e30N.exe
"C:\Users\Admin\AppData\Local\Temp\8742f667213551f5eea4c71179627e30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
82KB

MD5
5e5dcc60e01ad86283a4ddbf97c4ed00

SHA1
b592617a40c0e79a027200c3fc24bf025e4cac3c

SHA256
f2b1318adbf3761751840f8a2dc1990c789af127a630b5949fa92851a3980ddc

SHA512
fcb5a8dd0105ea1be6cd3051b9ab14e4bb5e3f76523fae62a7906c884061fda0a584ffb1a35729f587f1f09646ff5ea59aa01526d757090bb488eb26d7068865

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
91KB

MD5
d6a42fe0539e0cfc1f565a654c233984

SHA1
67563b6a34430962b0e4622d93564f571471d1c5

SHA256
181dfbbb69863132a9b3f880d206b911f29f4c834f3c6fc29a41de4f123507c5

SHA512
a8e8a4e167bcdf5e6eb4b5e92093a8cc3f1db0d761b24a419e310ddf1ef6c1ddf1a719c21391c8a8747e83ee16702a5de7600fc8087bd3eb9a660c99992fc70f

Download Submit
memory/2540-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2540-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download