2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
Size

36KB
MD5

9f1aeb2bb99c77c33a6fe5507e7e791c
SHA1

c25cfc27ec7f1a8efe2f42d7d8fa94ee480345f4
SHA256

2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa
SHA512

d5a07fea36b74117bb95ada50661fc7ed1dc06a2d153b6544222a3adcd5a01086610c53eae26bee1745125cb6709f0b8d8ae3c5da68b6ed0743ab760510f3851
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiuhH:CTW7JJ7TTQoQuhH

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3729) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2996-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012118-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/2996-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jre7\bin\fontmanager.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe

C:\Users\Admin\AppData\Local\Temp\2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe
"C:\Users\Admin\AppData\Local\Temp\2e47fc2f88d2a157cf6b2b25f9582bca57f9a936061f0c6a502b4d78d03790aa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
36KB

MD5
b92ed29295fb10a6b9bdcc1508301822

SHA1
632a915e9889d6b3c8a35fa121d35a5f4ccfa5e2

SHA256
1c80dea4238ef0cc5ec3bb1a31c0a69e5e17653f34b6b3035dc4cc8769f54e04

SHA512
a99abda72e00cab4560358c8ca205cf6913ef8f966ff236a95e3f4e668aa24a6c1e4f3cfc1dc9278a3dd03e813ec245264d8f20ac05880ec0e6261e03ccebaf6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
45KB

MD5
34cac31f0b11fb02b60f9c39ee9b772c

SHA1
23e20f19b89f351f20b55035a894a97165118499

SHA256
ad73e0bdf66a0771d98ed1cd4e1fe193f8f1c92037efa2c5db42a4a267adda4f

SHA512
4d9800b19aa05ef447d4ec218d89e7cf4c785196c8fe34d98ff07a50e27c02705ab7fa636e25ac6cb20a8c5330f0891ccbb753d4a28d07cd28dee1da9dbae82c

Download Submit
memory/2996-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download