fc2008fae59cac9219602d17c77518906d5f8dcfdc65f3ededbf7e746a2bfa1c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb66c57f2928fe95834643eeea6b990N.exe
Size

76KB
MD5

afb66c57f2928fe95834643eeea6b990
SHA1

5b21c6068e86eed25b04543b030461a2b667159b
SHA256

fc2008fae59cac9219602d17c77518906d5f8dcfdc65f3ededbf7e746a2bfa1c
SHA512

b1e9528234c4aa07af1e2c4f720d929b6876c192d755a413809ceee9fa7e80f07db080371710440b1e2df7bc93bd7bb122053042c666a71b4204d3e1dcce947e
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rt:V7Zf/FAxTW/ySSh9j+9jpGnfO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/memory/2508-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/2508-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\bin\verify.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CET.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	afb66c57f2928fe95834643eeea6b990N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	afb66c57f2928fe95834643eeea6b990N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb66c57f2928fe95834643eeea6b990N.exe

C:\Users\Admin\AppData\Local\Temp\afb66c57f2928fe95834643eeea6b990N.exe
"C:\Users\Admin\AppData\Local\Temp\afb66c57f2928fe95834643eeea6b990N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
76KB

MD5
cadb372ea6b3c462e69339d9b67fd470

SHA1
aaa49bfe915cafb49ce01ff1f3a7af9dbe0cd5f2

SHA256
9f46cc7e7ca31b3028a8916bbf933ea68e0231168952eea5b542e5934a22a044

SHA512
848d11c0b19fd42ce3d7b702a579301b245171bad4efc23452ad0fcc2cdc5062a9a51521cd04f4bedf5ef15b992973b4d8ad9e570416c29b089650ec2f92a7bb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
85KB

MD5
23f3a82b044c46d2aab7c6a4a6551f2e

SHA1
b8129c0a2da383bba931a94da244b581920041b6

SHA256
8315947832d735eddd144e382828f86a389866f4ef19e9ba5edde05ae4b4609e

SHA512
76554b7694b5fb82d2a2a02651383c165186b367848495bafad961c2f2629414e8a6dd48662fbc1db6eacef6db0b384c9850adb64d2f13ce8bdfbe5a9eae3456

Download Submit
memory/2508-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2508-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download