8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 00:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
Size

46KB
MD5

108467a588118998f14cddf26373d3a9
SHA1

ea3114410966039e1eb9ab070b00eed64a460909
SHA256

8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164
SHA512

6767dc7b426b1acbbe074f94af27f4ba6eb37ef9b0a6ff7a61ec83cf7fb40dab1e804ccee428541d1adfe1f31acf5e9505e2d4f919781dc0f15e6d76d6839f52
SSDEEP

768:kBT37CPKKdJJBZBZaOAOIB3jM2jMO/7OSbo5+Oi6Jfo5+Oi6JvEXBwzEXBwkqA7a:CTW7JJB7LD2I2IbSq+12i

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3767) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1432-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00070000000120fb-2.dat	upx
behavioral1/files/0x0002000000010486-6.dat	upx
behavioral1/memory/1432-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Games\More Games\MoreGames.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Journal\JNTFiltr.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jre7\bin\glass.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Curacao.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif.tmp	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe

C:\Users\Admin\AppData\Local\Temp\8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe
"C:\Users\Admin\AppData\Local\Temp\8d5e57f7c0dc2e319c39f860275c64b81365c4f0adf67acc01abb02b03cd5164.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
46KB

MD5
041a8be54d075f20edd7183c84c41eea

SHA1
6c4a28c55a1b3b9a11974502653f4a69e3762180

SHA256
3c2d1b81c73a8caf214cdf3a19e8500c2dbae617473f7a8f288746f98187d526

SHA512
e5dc506b57a9df15986761145c9d87f4f5fc514cf2efc2414ac5e799632d60856b3f58b6db7734a3582217bc78fac71c3bd641211ed9000aa3b7a5aad0e6fa67

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
55KB

MD5
f541cc6b82d14af6d859279d5197f52d

SHA1
e0a219659a65a59b82df7ee12e906200c3f52634

SHA256
d50015fdd0341b25b1b71e8b93898eb845fd9db99f39debf3769e6cb17b99251

SHA512
709d18706ffb38603d9fc5526bc8391fefdcf570708ab6a42ebb0968e3c238f2a72eaace8c5ac5afb1a9ead12df0dfc5848463301b602cb5d55851f5f61b1c07

Download Submit
memory/1432-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1432-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download