d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
Size

30KB
MD5

3b0279936f4a652d9b7f122053703887
SHA1

410198ded33cc9e64f1fbf8902a9bee462d4c11c
SHA256

d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f
SHA512

15a9c3a510baeffd01b7f3694fd2af8b42124ac9a2b181e9072c9825b83e11ef511c424759baf64b2264f920e9745940c2843db732215f851f7902b9ab655e89
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9woOzOuiJfoOzOuiJb:CTW7JJ7T4MU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4147) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000900000001202f-2.dat	upx
behavioral1/files/0x000f00000001045a-6.dat	upx
behavioral1/memory/1872-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\System\wab32.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\SearchUnprotect.mpp.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.tmp	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe

C:\Users\Admin\AppData\Local\Temp\d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe
"C:\Users\Admin\AppData\Local\Temp\d32a2804518f8135e79637b77af14cfd1ef213db6497be136a1124de59bae60f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
30KB

MD5
b15e78f33d578ff5c36fc2c531ce94a5

SHA1
3c092be2abf547e025d634bdb4cb6b70143d37f1

SHA256
d48c85d90c9464e4d31fe36eda3e7e2c0235bdee549e642b10c51c779cb9d117

SHA512
4f1b245618862584148ba6bdf93e9853d32bff7f86f9a460de913cc5ddfbcc8012ec353119ffa9a32f2fdfae9b0673785432152b84278f35a9645a42373a54c1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
39KB

MD5
a23322ba15d9bf3d68a40e91ce79fcc8

SHA1
0866b3eb09aee2bc541b4ebd55db5c54b290e975

SHA256
57e56c187ea755a7c16bd9da45444fa4c6296a0941f7421997505a3f793a276d

SHA512
5d31ec8d80ab51ce9493e2de2a2809c88b4abd7ad17931dd49e8bda79a1e71fcbdc884203d5fc33f52544a9813c3fcae4f35ab86cf7bd741a864c7ebe08e0768

Download Submit
memory/1872-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1872-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download