d9b86df2ba4fc00bce88da22079663aa11b51f4f7ab4bd5f39c40860001edc9c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68284ad15200e73955efdbb31db06120N.exe
Size

49KB
MD5

68284ad15200e73955efdbb31db06120
SHA1

6c8701bdcf411e9d9869516c0f638ba82171a5c6
SHA256

d9b86df2ba4fc00bce88da22079663aa11b51f4f7ab4bd5f39c40860001edc9c
SHA512

6c88d31cf0d91c93dfb8b9b81eb1332e60d7f05b2f64d7542e0e3dbf22ae6e4e8975927cad7a491b8cc553a5e6afc473e365e2d14c4696408c8a6eb9940b3b7b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9MFxFk:V7Zf/FAxTWoJJ7TD

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d00000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2668-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Boise.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Riga.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\System\msadc\handler.reg.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\management\management.properties.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	68284ad15200e73955efdbb31db06120N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.tmp	68284ad15200e73955efdbb31db06120N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68284ad15200e73955efdbb31db06120N.exe

C:\Users\Admin\AppData\Local\Temp\68284ad15200e73955efdbb31db06120N.exe
"C:\Users\Admin\AppData\Local\Temp\68284ad15200e73955efdbb31db06120N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
49KB

MD5
1587b319fd5578638ef8293749111160

SHA1
3b630d0ef532ceaf63654082b95ee14b0fca9721

SHA256
484aec13fedc1ff1b07d4b6177f286c583a06e33b0c5bc61ff104bd5e55405fd

SHA512
1e87dcf9e42c87a3c84394b54ab274a3ac190dd08c29d79f7fd9cd446e7a92cc622a5725fee781b77813ed97b99441809e90780b486f2909961d84e8b010f1b3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
a6e3e4aca32107d7abffcf356a9b305a

SHA1
9e2a7a751047557cf9f2b69065afcd2a3b0eec06

SHA256
b571198ca71987f73449535dbced67927262714cbd010ecc2ac258aeb3fb97ba

SHA512
a6872569441ef63b2193b8cde868636bd348194bb66cc1fc317563a2f915f255f0c26372580e54fb429e0a622c081cb0efbd2f542e2b59cb4fd39aeb474c1181

Download Submit
memory/2668-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2668-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download