f8f386a3a4a59b4868d1af89b58fa71f5df68ac3bc4bed51738b7fe3ef4a3f4c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f9867dc3ec35fc98aa4ec593b6116d0N.exe
Size

78KB
MD5

7f9867dc3ec35fc98aa4ec593b6116d0
SHA1

67bbe3ce9b8fa12e3f8c5ad450f2757ea0ea8b93
SHA256

f8f386a3a4a59b4868d1af89b58fa71f5df68ac3bc4bed51738b7fe3ef4a3f4c
SHA512

5e28d1f1787b703ed38a179a6ee3b151232f13d7370b4636b155e074afcefcb2137e40073e20558d19170bc19f1e5505e6a59d5adff10554ecf61df5c402afd0
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q86:fnyiQSon

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3158) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00090000000120fa-2.dat	upx
behavioral1/files/0x0002000000010486-6.dat	upx
behavioral1/memory/1052-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Microsoft Games\More Games\MoreGames.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CET.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp	7f9867dc3ec35fc98aa4ec593b6116d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f9867dc3ec35fc98aa4ec593b6116d0N.exe

C:\Users\Admin\AppData\Local\Temp\7f9867dc3ec35fc98aa4ec593b6116d0N.exe
"C:\Users\Admin\AppData\Local\Temp\7f9867dc3ec35fc98aa4ec593b6116d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
78KB

MD5
a6a02645bf40338e65e1060781609596

SHA1
2434339256764c12db15107db30a3c1295b7b56c

SHA256
7a3c5369e57d2cda214f33c2d019e39db3dc604461a684f8d1c50381ebe75d81

SHA512
bfa30df1b7a091987c35df4e732d32a80efa4ad7f94c45adc260b395cced5027f66a41beb0d38f6ded1d0357872945be4eed22d34f70f3449433d171987f1008

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
87KB

MD5
2682b54364d67b66b7bbfc19782843f6

SHA1
79042060556764196a98f0a667eedfaaa54b07c2

SHA256
43470dd66d7964308ffa71fddf96c435cd6989c501920e93182a327c669b3ecc

SHA512
ddbfb6397cf431aedf6d2329d035255398c9b1bc3a230c28f1adeaec7322ac6d1d9f21ba7a15883b5b6fd35125970938ec690e21515a7d071fb9fe6efb7db7a8

Download Submit
memory/1052-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1052-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download