58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
Size

27KB
MD5

822193ceeade7e2bdf28e1379dbaecf7
SHA1

78b363628a4aff15c691e296cde83b5e641b1ba7
SHA256

58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9
SHA512

051def865a00a671fb04c7c9e539ae8b6f51b1bed5315eaeda134233082cbbb01862eb5b4ec5a7e7330555e91defcd12f66f12cbc4f305c58490096287913c90
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJhnQRE:CTW7JJ7TPUdRE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3857) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b0000000120dc-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2992-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\resources.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Journal\Templates\blank.jtp.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe

C:\Users\Admin\AppData\Local\Temp\58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe
"C:\Users\Admin\AppData\Local\Temp\58f7112b0b183eeb99b10d6b4589a726d2ba4ccb5cb80824e6aada9f734b0cb9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
27KB

MD5
b5c00dc30cf2f6ee631b48a908d4edba

SHA1
2e129660282f9f2fa328ba76c08a73a9f0ecd355

SHA256
c7b47f469a36743da37dc25dd6ce81e256703f76a63e1e5b026bd5635b45ac83

SHA512
e40a8b5215669e0c036521ce4bcd291745ca270eb290ecab369881628fd738a5b58e8315da5de98c56397f91efdbc6f2b7af62509c5b8e2c3e3fd47350372dad

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
36KB

MD5
b41ed050bd7bcabdf4de77c347162c06

SHA1
124c0f9f83397166d363a20e47b14043adbd74bd

SHA256
92555f42d7fa6f8eba5484cf0c2f635d73bcd9874670a248e0fdd70ac3a110cf

SHA512
b181071be58aeb8f17345823578ace1076c54e03cf89e1d1f07537673d1b0679d327fe3811f0958ae339d569f2f9c11646b8ce5b5c37a6b3da5b88729ea58df4

Download Submit
memory/2992-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download