73629ed22124509bfb9d9eab08b83d9837a48317eaba82a579e09a54b0df6ba6

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 19:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
Size

42KB
MD5

f77e62737e2d6aaa2ac6ad3fd4d07a30
SHA1

375db6dd1eb7ad7c021525331c26d7fb21279d39
SHA256

73629ed22124509bfb9d9eab08b83d9837a48317eaba82a579e09a54b0df6ba6
SHA512

fd2c3c43a8fdc89aedf502759ee08e2bd6eabb4c88752735bc3fd4c20b22d7b8d793253eb3f9d46a06536f42670a01e1d9afa04e8aeee6871abcbdee393b54c3
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeIiKxW:CTWJGpG8ntmr

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3452) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2864-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00090000000120f1-2.dat	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/2864-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\ConnectTest.temp.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.tmp	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe

C:\Users\Admin\AppData\Local\Temp\f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe
"C:\Users\Admin\AppData\Local\Temp\f77e62737e2d6aaa2ac6ad3fd4d07a30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
43KB

MD5
570866dad9c8d55d262ec201d193af52

SHA1
219cd27c3ade9d60ca43bc7ce7468de43b4e141a

SHA256
adfbafe076718554e0f9833a447e2b6d992a3208c3e92b772be461c14caf6232

SHA512
14d1c91e0a6673c83b46bc1dd1062762f2d0bfdbde5cf1194b90c81c7fbe87871792d6fe693195d2f40099dba3906d75dc725015968c2d50dac52ba066f99994

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
ca5391cc004bee1de9fdd315c9f6150d

SHA1
ecfba652e1f156533f2d2d75a03fa146a3be58b0

SHA256
8c7d785ebca86759b2ecfc8ec2380b1ebbadb0ff9ca830a30c2f5219944c4b72

SHA512
a0f5d0570d95fb63b31d35709329f361bd13407ad0eaf987a0fdafafed229f08f0892b6042bfd7db08523ce5a5d73de2f367201b167a5b6e7f5509f4aed5af2b

Download Submit
memory/2864-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2864-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download