6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
Size

32KB
MD5

439461275670ae40830d2bc3b7a85903
SHA1

8cbd98516234447a19f396070d8c1d0bd6ff9856
SHA256

6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c
SHA512

6e77f1a10d18f804522a0781822471cbd685998804d98a8aa445986874a6b0c93f8f52cfd7be3329ba8d86ce868e06c549339d0673452bb13e2cab8ba769c0b1
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mdGRG4:CTW7JJZENTNyl2Sm0mA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4119) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/2392-71-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Media Player\WMPMediaSharing.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Adak.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RECOVR32.CNV.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\de-DE\Sidebar.exe.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\bin\sunec.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\resources.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\vlc.mo.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.tmp	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe

C:\Users\Admin\AppData\Local\Temp\6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe
"C:\Users\Admin\AppData\Local\Temp\6bd0af6e58b2108600729ddbdc202b02352e63b12ab8327a35554fa79a7da55c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
32KB

MD5
657d60920cb56952ac4aa09c10316f78

SHA1
4a5fea25710556bf3f6208916138e217a07fa92a

SHA256
8f553ff5d20938bee24c47883eede867d7aa24fb8cf514694eb5ab4c77018bf4

SHA512
1ceaf6e8c5748ab5a6d6eeb27df201848d2fc8f5e542e956d0a4a04f338f7a99dd78ef170d8a1f61fb0e3e4f059d3b1b48465b23d3cc41e9f189dc887acb80f2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
41KB

MD5
898d0aac8ad20caf2709e47f692e1c5f

SHA1
beeb2e253b905b810e0fb252f57db89ffd6688d1

SHA256
15eb2c80701135eb58be6a6d6c4d8ffcc109dce5dab8b07ca221d07e73e459c1

SHA512
93cac2907971531e21d083e77f248dc84ec48bed3716998f337e5a74049b6317566c3a4e1a04d88cc390cff0b66ebaf809275af05069f723a3e48b4733c2ed38

Download Submit
memory/2392-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2392-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download