f28eb19c1d7b0a6ec0728a36e05f4ecc8381c8c6306f67d58d73761037065d81

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29b7b66386eb53d288b3ede5dc6b6b0N.exe
Size

65KB
MD5

f29b7b66386eb53d288b3ede5dc6b6b0
SHA1

6d09e8945a6d2d520deadddf5017cd6a335a4d75
SHA256

f28eb19c1d7b0a6ec0728a36e05f4ecc8381c8c6306f67d58d73761037065d81
SHA512

2c3984ae9c1fbb81918d678b365aa796cd73787d575aa924df513fd0de65309c0d1888017f26cbbc0faace2fdf72a603ea512942a55dc9a21eddf1b105379fbb
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFz9:CTWn1++PJHJXA/OsIZfzc3/Q8zxSL4

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3257) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012281-2.dat	upx
behavioral1/files/0x000f00000001045a-6.dat	upx
behavioral1/memory/2872-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\libvlc.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Internet Explorer\pdm.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp	f29b7b66386eb53d288b3ede5dc6b6b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29b7b66386eb53d288b3ede5dc6b6b0N.exe

C:\Users\Admin\AppData\Local\Temp\f29b7b66386eb53d288b3ede5dc6b6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f29b7b66386eb53d288b3ede5dc6b6b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
65KB

MD5
a05d4add9cafecc5935eca948910a23b

SHA1
1199d4745a180ede1767a42fc3e54212061c5b10

SHA256
47f8a8994d9a159c4e2e62aac1b46da979e13bc36acd4d478fe95ac2f0ccbe87

SHA512
fca25defb4cd54488ded1d90b12b9410c10f7a798eaac0cc4dc0f3c9916d3d5c7b2e0123ef7551d53ea6abe42f0170ca97046819e851301f0333a1ac46793fab

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
74KB

MD5
b54ab4242db1547d12a804d1e66d7c02

SHA1
d073d1bd545adfb25025219f9f0958246b3a3a7b

SHA256
00618a8ec816871001147299c5fa73c11c4e7cc22b0c22bc2f8bf0ca5255ec86

SHA512
75339ad715d850775defdc6bfab012bcb037bb00958d95f92a411709d7dc36fcbf8e6210056588ac4d8c375f93432147ba632fe2b70de64c1fc039b7fe3ff5f4

Download Submit
memory/2872-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2872-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download