81c6ed542d39dd24085bd6baf9f3fe0723fd1be69cf822afc6e29c3afd99d756

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
Size

58KB
MD5

2e768a9c7a2ef7e8132f1e9fc55d5af0
SHA1

e4101e80a021dd670797213c4742732e7d9efcc8
SHA256

81c6ed542d39dd24085bd6baf9f3fe0723fd1be69cf822afc6e29c3afd99d756
SHA512

7f2d8efdecf4d705f272daa9b2c6e6bddeff4eb631f6f6af3a023d974bebf0e6b336a3110b5e2e32a5462134e546777e77dc9c086279deeac60e816eccace024
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzK:CTWn1++PJHJXA/OsIZfzc3/Q8zxQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b0000000120dc-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2052-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\bin\jaas_nt.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\management-agent.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\bin\nio.dll.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui.tmp	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe

C:\Users\Admin\AppData\Local\Temp\2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe
"C:\Users\Admin\AppData\Local\Temp\2e768a9c7a2ef7e8132f1e9fc55d5af0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
59KB

MD5
550f5c14840d5a95bcef9528ddd411ec

SHA1
a7e4e56452540e9513aef1f792e2bed05c51e2cd

SHA256
7d5b32782b81cb5e71f7a3de18ff529e355b7305ce22f020b9ac6825c77bc48c

SHA512
3e45af378bd003bbb2942df9328f0fefc1a85c53e8d8a5b6c10bfa509084163b49e5ac7d4926fc9e1619be85cdf56a7883d58240834ce3ae6db4e62ba66e0a9f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
68KB

MD5
97aedfcf046d9a736008213741855711

SHA1
0685bf946bd4096e28a38132c534d8eec226adc8

SHA256
0244e5a36314bdfd0dd40372dd59218bc96054175277d27be331e6a317d3e007

SHA512
4802ea55ecc03a86ceedada9aa0aba4d8b32ab1557c1e38eca18bdddd0b8dc7c47cd3c9fe8fe5df997b8399946fc9568198c19b059728d991b82e93b87def1a1

Download Submit
memory/2052-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2052-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download