f3a876c8eda5d37f9c53551659631410cde4de9871c9677e0d5fa06d4bafa194

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcc309410de908bc20a5fbbe78aac00N.exe
Size

21KB
MD5

2bcc309410de908bc20a5fbbe78aac00
SHA1

e62c33e369a80e4926c4c9bc45e120446192fa32
SHA256

f3a876c8eda5d37f9c53551659631410cde4de9871c9677e0d5fa06d4bafa194
SHA512

5deb09780500e9231b06a39e2d016b438c28f73c3c8c53beea504a894394d64415cd28772dd0181cc566b3204dd6ae94f215e1b9c8ea8be059bc403e673d5101
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcbQbf1Oti1JGBQOOiQJhAT17FoUdOiJfoUdOiJGNk:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJq

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c000000016d58-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2172-27-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Internet Explorer\ieproxy.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	2bcc309410de908bc20a5fbbe78aac00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bcc309410de908bc20a5fbbe78aac00N.exe

C:\Users\Admin\AppData\Local\Temp\2bcc309410de908bc20a5fbbe78aac00N.exe
"C:\Users\Admin\AppData\Local\Temp\2bcc309410de908bc20a5fbbe78aac00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
21KB

MD5
8a8626dc618b6377b9f0613c86cd6440

SHA1
b25f732b0b1e5f3a3e8fa4685d89a8ec583991d9

SHA256
bb4b9043dbd5c6bf99ee5fafa0ffb9592707c60deccd7243b97c2dd9c2abff0c

SHA512
a031f418161f448e5da011c3f671f67e75b9b43ff0a6df73e6ac3877cb70a9379ffc4aafaca47eeb69de8fa74599a8a231979c5196363ed705628d60ef10188a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
30KB

MD5
e1284408dd2f8ce92ea02d930dbc8c61

SHA1
cae23847298c615a73671b46fe0c97f5e88b1613

SHA256
f203afa690e53159c8f8f19d52ab543bf0a82009d2da6651443949b92d52a12b

SHA512
04f149c45ba5ed1d6e3b222d37cb304390a9b032184d018eff2c3c4382634e151f524ed55f3bddc6ff5b1eda255836c15d1561ca6721d2f159933b6d17e9f445

Download Submit
memory/2172-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download