5fc949ddea2b5a7b1e33e22e8cfac55cf851c1b0e874dbdc1559251b1e9e0117

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

415d786ee5f4ffc0cd8a707d924f7c40N.exe
Size

51KB
MD5

415d786ee5f4ffc0cd8a707d924f7c40
SHA1

cb050b623f8928d48e604de43e107fe7cd3b950c
SHA256

5fc949ddea2b5a7b1e33e22e8cfac55cf851c1b0e874dbdc1559251b1e9e0117
SHA512

0a325f2ec4cc1b563363fc8c03421d999481f1d0d9f0790db87d0a3189d1ffc833585f6668adede05c15b67a8cdcc30858112fee153b9ee3c2c0277ad0ba7f6d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMc1yw2Yw2SeGUNGUk:V7Zf/FAxTWoJJ7Tb

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3089) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000012119-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2248-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Internet Explorer\en-US\eula.rtf.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunec.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	415d786ee5f4ffc0cd8a707d924f7c40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	415d786ee5f4ffc0cd8a707d924f7c40N.exe

C:\Users\Admin\AppData\Local\Temp\415d786ee5f4ffc0cd8a707d924f7c40N.exe
"C:\Users\Admin\AppData\Local\Temp\415d786ee5f4ffc0cd8a707d924f7c40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
52KB

MD5
0503abbfbb278170b4e53f0547b0cc68

SHA1
52154befd47a412cd7f4be1503f2819aca0907ca

SHA256
f99c7d85fb17e734c5836ab8995dbd9bb2a644fc2265c2bda3643261b87cb8fc

SHA512
4bf21ff2986b5d9b5be5000c0dbc5b75978b5697fa3644a4a00e05b35fe9c9d4b38d53bdc1a1531a8b9d56cc2db9a46b352bfda1df2b58eb56f29a2130a39a70

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
1ed10e88c149aaf0e508089a0b1513da

SHA1
827119d78f7548683d9f65952da2cfe2a8a1a1db

SHA256
783b28b1ace99589e4b0363a811975032b07efc8085446f6701bbba76b7f81fc

SHA512
2ac125ee200a7d1385f66ea96ca9ccf2493e55d1068b56fcaf249785643cfbfa054f05912edae987934ab9767f4a604dd8cf638279fe56acc270ba235d3b04fc

Download Submit
memory/2248-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2248-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download