d89360b863656514d72950daef282d26e2ccbafe09f59515cb8490ace79e4b85

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b912a10a61620d6d04d918093fc9af0N.exe
Size

48KB
MD5

2b912a10a61620d6d04d918093fc9af0
SHA1

cf8fb9deecb8604b0aaca1bf647c36f39e8da23a
SHA256

d89360b863656514d72950daef282d26e2ccbafe09f59515cb8490ace79e4b85
SHA512

496e65d1093b3e0e87b7b10ff2edabf36b6be4759520c54a34d9add632191abfdea5e37dac05fb4fe5e2c969979f6ebf4828738b16fb64a1da0062e72c3b3eb3
SSDEEP

768:V7Blpf/FAK65euBT37CPKK0SjuzJw8ci1x0zJw8ci1xI:V7Zf/FAxTW4zJwkwzJwk0

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (332) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000e0000000162ed-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2488-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Internet Explorer\F12.dll.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	2b912a10a61620d6d04d918093fc9af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	2b912a10a61620d6d04d918093fc9af0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b912a10a61620d6d04d918093fc9af0N.exe

C:\Users\Admin\AppData\Local\Temp\2b912a10a61620d6d04d918093fc9af0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b912a10a61620d6d04d918093fc9af0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
49KB

MD5
9913c363f39e8fd56074c1b87b0eaac6

SHA1
84a3f140e061b08176f6a760390ff3c4882ec5f7

SHA256
fd0d3314d4f3bee4f5ea1d0863fb9719ad930a074e79dac2b3db8c77d8c164d2

SHA512
e3ac6722e3e521221048fdd3809b0e9bd073196034e9ccd6f94935524b82a5d25a026502ba14158a7885bc5a3235e80d583998ab8166f64e0d7524d073866254

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
f310ea731e20b435a2ac67444c9c3515

SHA1
843609ab3d6e8d85fcf1235be20efdcfab22763e

SHA256
a37b67289c478cc880398faa4ec4be5bb2e6d4c02e497859c12eb50edf348f88

SHA512
f258949df1b3f82321267c27659e17c11da8983268cf04da17cbb85240c06196468e983a63323c560447914803759b2dcf53768534d566d01dc873fea7b9c941

Download Submit
memory/2488-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2488-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download