9c4fe2cb07deb134a853565e85cba74527167f1c072a08bff3439458a6c9a134

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40180e114f2d742b83e4d51fb6370d80N.exe
Size

73KB
MD5

40180e114f2d742b83e4d51fb6370d80
SHA1

46b0f86fb905fd8c5e1902428ab9baa8734167e3
SHA256

9c4fe2cb07deb134a853565e85cba74527167f1c072a08bff3439458a6c9a134
SHA512

c928eb336d1ff78825594c19b97996400c8ac6693efeb2e4ef7bae444db1bad48a97dbe85056ee9eeddd082e26bb1854284491e7d117b1f16950028bce4e5382
SSDEEP

1536:V7Zf/FAxTWoJJB7i2JalYNRw3XTW7JJB7i2JalYNRzqUS:fny1c2JaCc2Ja7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012116-2.dat	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/2216-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\InvokeExit.cfg.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\bin\kcms.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Barbados.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\LICENSE.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\desktop.ini.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	40180e114f2d742b83e4d51fb6370d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	40180e114f2d742b83e4d51fb6370d80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40180e114f2d742b83e4d51fb6370d80N.exe

C:\Users\Admin\AppData\Local\Temp\40180e114f2d742b83e4d51fb6370d80N.exe
"C:\Users\Admin\AppData\Local\Temp\40180e114f2d742b83e4d51fb6370d80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
73KB

MD5
02ffd281c4e3742dbfa00bbb87394f3c

SHA1
07f64c2b66aa6e34b0974d3b04498e78aeb40e12

SHA256
83fdc9dce282fefa300dcfc7764c06e32223eb9419baea78d35835427b24c1d6

SHA512
782459055f3b3e3d6ab7709cb1f0676186692764cc9c26dd13c0bd61cc8b28c88d0325f4bc22bc7047fa58d82cbf4549a89dda0d56b800af73612258375ee395

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
82KB

MD5
d501baa3cf4af5f704dad45ede9d8ba4

SHA1
43d1a74f1db26006ace89b011b3c0acd19d21676

SHA256
da5f76dfeb443f9eb1bfb5c73df07532417fb58d28d68cbdc462117445460a0d

SHA512
99265ce3f8b9da6ab4ecfac6a15e6e0ddbaadd7624d88504246ecee601cfca276c27946647e9bb8c15d758f8ea0db38d80ec603f179fdda43c06b48d05ab0510

Download Submit
memory/2216-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2216-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download