864aea20d3667e2b145e3b0e3df3ef335c58afe50c7706855c3972ea175ccd37

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 13:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a330b83b51862e816889c04021d29c0N.exe
Size

169KB
MD5

3a330b83b51862e816889c04021d29c0
SHA1

543ee9efc74960dc9f980e10ca384c14d51ddb0c
SHA256

864aea20d3667e2b145e3b0e3df3ef335c58afe50c7706855c3972ea175ccd37
SHA512

db6ed4b4239c1818ef593d8c4cc3d09c9d9a08e649080291cbba2073441fffa8b31a39fd10ae346118b78afd28c924b4aedbf1e6f4ae5d773329f5a6cee0c0ce
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8zx3Y3hx+fsio5UxKzWZ64+A8C4bwc:enaypQSo6VEio5Ua4Nw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2802) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d00000001227f-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/1964-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\charsets.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.tmp	3a330b83b51862e816889c04021d29c0N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	3a330b83b51862e816889c04021d29c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a330b83b51862e816889c04021d29c0N.exe

C:\Users\Admin\AppData\Local\Temp\3a330b83b51862e816889c04021d29c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3a330b83b51862e816889c04021d29c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
169KB

MD5
b56f9e8f7f80ecabf4907c821c36e6fa

SHA1
ef1f177e905a3949615d407c1c12613ec3c55a93

SHA256
f9dbf32fb2431d50cdb884a20b63b800f322b0c41051e672b6b0c97652578667

SHA512
4b598e417e578fd5244d4398a2ccbee414654542a5343ece88dfc62f4b46f14eac74fb3c928046c2ad88cacdfb142996ef0bcbf57d952522ee6bdf61db5614e5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
178KB

MD5
a18439c2724d735384ea949453b0046b

SHA1
afd913981838c7e70f9261edcb4233a5f540d848

SHA256
00cbee6be1403a9491ee3bb6c7956a4736f513fb5d4dcd1856017180f47468fa

SHA512
18ff2e016035f51528e846840359143b66fd317cf36bc8b7969567dbed5317322ed734883bb154cad1b08fff07bb1f93f4780535cafe72119e61614f0b74178f

Download Submit
memory/1964-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1964-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download