cb359f126085e6f05700192250d1d8dce65877a7f95fc1cf402fdd59f9d04ce5

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc65acb62595241f3024198d3486d960N.exe
Size

70KB
MD5

bc65acb62595241f3024198d3486d960
SHA1

6ab397873adc55744092c1c4bc013ca83070456a
SHA256

cb359f126085e6f05700192250d1d8dce65877a7f95fc1cf402fdd59f9d04ce5
SHA512

2afd51359d7830660d52e54a6feac0b8ae827449e2bd8badf735ac638639a4212904c3b5a89c511249388008449fe5e7e5a3df8a6bbdc9638b79c421457033c8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2re:V7Zf/FAxTWtnMdyGdyoIOI1Qq2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00090000000120f8-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/2680-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\UnregisterMerge.avi.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Microsoft Office\Office14\Custom.propdesc.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\UnlockGrant.3gp2.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp	bc65acb62595241f3024198d3486d960N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp	bc65acb62595241f3024198d3486d960N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc65acb62595241f3024198d3486d960N.exe

C:\Users\Admin\AppData\Local\Temp\bc65acb62595241f3024198d3486d960N.exe
"C:\Users\Admin\AppData\Local\Temp\bc65acb62595241f3024198d3486d960N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
70KB

MD5
b525ba6033d77ad6234a29195d4db781

SHA1
b3ca07dc6ea136064a7c8886ceb00dbde94ef69f

SHA256
7ea366e6deb3323ebe144a3b1fc60144d8cbefa03297e5460b9b5a7414e386ba

SHA512
23b6b541b8217eb58357d465fdea604f5d37580838f4cca2081d60f153031367ee746276ea2d679cf3ea4f20dbd8c5809d1b0b44dd724ed1378ac5ccc975c9b4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
79KB

MD5
c519a21db348a9469fe60423c99efe7d

SHA1
8c3773d58f711b440452768f7311a1f02dd92e0b

SHA256
8b24531b1bb4bcaff713f86e3720f09a9dc75c9464f1245a0ba0a07d78dd1058

SHA512
3ea772cc9ab75ac5aea5f9928411761a3c0a87389f61ae0824ee904a29bd8a0947c031d7bd52d6747fa22c69aafca82f0840f5203d8e3a14674dd8724f5de624

Download Submit
memory/2680-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2680-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download