677498cfcf2c19195fd4087e90e7127410497b2efd6cd405c7f63e3674a5047d

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 13:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

beae0cbb1b7753ca349aca996adff620N.exe
Size

500KB
MD5

beae0cbb1b7753ca349aca996adff620
SHA1

81c38e8cb79473a12d2ab882369f099c77ba4f84
SHA256

677498cfcf2c19195fd4087e90e7127410497b2efd6cd405c7f63e3674a5047d
SHA512

07bc9e3bf6899fb550d0bdf0fa2a6c0e6a49789bb038e565ae9b351c62b5b385034527214c03c7d37ed536c52b145b88451fecb25402005181163513396e0b72
SSDEEP

6144:KbE42KWdacnZJqwCQttBaaczwDirAQ3DeQ7DluUBq2:y2KWdacnXqwCwt4acxAQ3DeGDlt7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1391) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000700000001211a-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2548-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp	beae0cbb1b7753ca349aca996adff620N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	beae0cbb1b7753ca349aca996adff620N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beae0cbb1b7753ca349aca996adff620N.exe

C:\Users\Admin\AppData\Local\Temp\beae0cbb1b7753ca349aca996adff620N.exe
"C:\Users\Admin\AppData\Local\Temp\beae0cbb1b7753ca349aca996adff620N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
501KB

MD5
38c14a0c77a9587c46b0db7ac2a6bd07

SHA1
e38f8905a07318271198a321ffc80c256f8068a0

SHA256
309d536f0345af5870978100ed79a3daff22615f106cca20df70b5572b3a0c06

SHA512
83c4f3699b1eb49a487b3e5b6123dc60212e9a9fc9237c10489a66da5d3d724090df2dd7935a06f417f422e96a4811c9bb30e68fa89a9fc27d97c335793c77dc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
510KB

MD5
98bbe8c257958a377a4a4e1048805070

SHA1
c152e85c49c5021ae72b4d609aec418ce4b83540

SHA256
0f0e8439e7fb408c6116072333ffd97cf84f24d5648446713a66124f5fb8987f

SHA512
56f6932614be6fb8b76caf052b50b5a9304d81348ee3c1452ecd57dc8f346f1817ea6c2e41735f700e719020473dd5deca9d15680b80c4733e244758a4cd55a3

Download Submit
memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2548-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download