57f954ab775b20bd95bdd23a1290e439c7829364db5eb5295a68e00ef2afc10a

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2595252e38d8d2fc3ac1e7764fd33e0N.exe
Size

46KB
MD5

c2595252e38d8d2fc3ac1e7764fd33e0
SHA1

a197465ae6f4dfd40efbab03ebaa100f2da470d9
SHA256

57f954ab775b20bd95bdd23a1290e439c7829364db5eb5295a68e00ef2afc10a
SHA512

2be35e7482d7bbdf3d2aaf80be44a500fe50fe1314ebd5ffd0b286aabbca11e2e28954ddc39bdc1420a7bbb7b1b782c27a0d7ff91661fc6833c6190111a98985
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI90TAYJXTAYJ5:V7Zf/FAxTWoJJ7Tm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1368-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00070000000120fe-2.dat	upx
behavioral1/files/0x0003000000010330-6.dat	upx
behavioral1/memory/1368-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\System\msadc\handler.reg.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\npvlc.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nipigon.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Asuncion.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake.tmp	c2595252e38d8d2fc3ac1e7764fd33e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2595252e38d8d2fc3ac1e7764fd33e0N.exe

C:\Users\Admin\AppData\Local\Temp\c2595252e38d8d2fc3ac1e7764fd33e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c2595252e38d8d2fc3ac1e7764fd33e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
47KB

MD5
6ce6168a337e10ad1fa83601c8006863

SHA1
935b441ced9eb46b2599c801727b89c93424e194

SHA256
e4fafb44f63d560607fcbaa2ca3ca4432a711835fd3ecd62d5782b17278c6597

SHA512
1e6cb3cb4d3e48aaf1875a1fbc50af8a03dfb31ee1f522103078002ab31244918a2cd39a9df5725d20bc5632f527d1ecb217bb7e6204f6b931109bfa0b6f033d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
56KB

MD5
be83fff393e048f2ea3bf39edf6fdd98

SHA1
7fe18921521800d66d64af79986d0f8ad961c57b

SHA256
2712c4679e1ca2a48dfad8c280c5fb1b1fb7ad61273b3fc5b47b320a57f30d63

SHA512
3505107230cb9e649df4d4ea5c8882dd841acb8abe70ca916e9940be6ea10a7300f5df73e59ca2963aeb688b60a84d8fc85db41911357abe1b66836aadde4598

Download Submit
memory/1368-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1368-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download