38cfb585512705551275cef8e8d0b1eb25b270c9e2ea721d357187799209c54b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a4b281d8606e4724f75a4178c8ba30N.exe
Size

108KB
MD5

33a4b281d8606e4724f75a4178c8ba30
SHA1

ba18d71540c3480dded99b22c59e9285b6498d8d
SHA256

38cfb585512705551275cef8e8d0b1eb25b270c9e2ea721d357187799209c54b
SHA512

a7469409546752b3ce29cee0cb054055d8d3fbd7a3e8250036861b8d9c58146e719a53b253e46433c2459cff3cd319f81462524264ec08278a359b4aa404c81a
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZf2XcqvcYdnS:fnyiQSo7Zf2XLnS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (318) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000016d90-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2252-26-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	33a4b281d8606e4724f75a4178c8ba30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a4b281d8606e4724f75a4178c8ba30N.exe

C:\Users\Admin\AppData\Local\Temp\33a4b281d8606e4724f75a4178c8ba30N.exe
"C:\Users\Admin\AppData\Local\Temp\33a4b281d8606e4724f75a4178c8ba30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
109KB

MD5
8edfa10da765095751e6aae0bafc58ee

SHA1
fcee442080f0e5af849876865b683d754ca915e5

SHA256
662154f0dda6c218bc6e78459018ef5b9dbbdd94ca540e24be24c3308d4947ba

SHA512
a7a6d57f5c4318995ba7a9fefae0af806c4d33ddba6ab258775028fee3e21b113ebbabbc686015e4eaec2fee281f831288d46da2440b9de0c10747426a05a8a6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
117KB

MD5
329f4e52a022adee3e09ea1f7bb5a4f9

SHA1
ba4970c46975bd539d4aa60711b3d7ae7a4255a0

SHA256
d2f31d107bdd5a0be5e827aadcadd7279ec7dcf527f0b36084af3187e54154ec

SHA512
d74a00bfedc19a6acf78c7bd6993f1157572b10557c631008a6f45749e2060e89a5b8a2f4487ee590131ec4ee28e0496907476410e1255084f83a40e368d7deb

Download Submit
memory/2252-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2252-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download