bd47661839824d42ef14f76d3bb2abf852655a87a7a466d974a8fc458dc86e54

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d60e61b5a01e6c5ca801b0834237e0N.exe
Size

166KB
MD5

16d60e61b5a01e6c5ca801b0834237e0
SHA1

1983d4cc898fd90266a9cad44c4617b2f711bf2d
SHA256

bd47661839824d42ef14f76d3bb2abf852655a87a7a466d974a8fc458dc86e54
SHA512

bc05504feb4d38740370808344f620c4b94690a44baadf347b0ca9d9fdb508bc8264a38bbcacf162e12f047268720dc5f08ef58048620de5e6aa117896daf7a2
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8zx3Y3hx+fsio5UxKzWZ64+A8C4bw2:enaypQSo6VEio5Ua4NC

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (246) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000014968-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2468-26-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	16d60e61b5a01e6c5ca801b0834237e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16d60e61b5a01e6c5ca801b0834237e0N.exe

C:\Users\Admin\AppData\Local\Temp\16d60e61b5a01e6c5ca801b0834237e0N.exe
"C:\Users\Admin\AppData\Local\Temp\16d60e61b5a01e6c5ca801b0834237e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
166KB

MD5
d4ea2320d681212f0bca86934cc93657

SHA1
22c7277e7256440a2ddd323fd42ff94018ca574c

SHA256
538f7d85f4d10be5e3a69e2d0e37cf5d241d59f58096aa2d365c160fb5edec23

SHA512
6a6742e8cd2ade72a7fb4d6be7bd7e97507c14085dcce1ad9d8b8fd4d66dec73e7ae19879d8e579d15b852f04229fa8a2a5a3bba0c7a4ccdc73d7173cdae4e3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
175KB

MD5
afb9e4c299be09ec25a93b51cc7b0bcc

SHA1
57676c62c4ce933c887f72dcef98ac01368e5eaa

SHA256
6ea809502a77125e02e0974566bf91369bb2be482e4b7a51d83d72f676eeaba3

SHA512
d79f09f4c78e7b574e792da3db757620dae3c81eca58875fa45e8e5b2124c3274c3d246f22a0a685ffa0f686c242d433311ce412a0c8623ea22c79f5d86a427a

Download Submit
memory/2468-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2468-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download