ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
Size

37KB
MD5

36f5fe9bfe7e7032efe57e08a0b7637f
SHA1

b5241e7bef7ee5c1d9a8cb387b3b22bc16729ec6
SHA256

ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0
SHA512

1872e1c53558bead122a43a0e40be3c88937c42973d983fb8b38d09ca78e43b7b45ede4194ce639547a542f915df3049ebc970ae70edd4ebef33bf1093666ace
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9NCQy5vhgCy5vhgw3N:CTW7JJ7Tugtgw3N

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4000) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000d00000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2668-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.ELM.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Java\jre7\lib\tzmappings.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL.tmp	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe

C:\Users\Admin\AppData\Local\Temp\ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe
"C:\Users\Admin\AppData\Local\Temp\ec6bac424b6f881860688884e4478216536f1720226f91f5f8a60403239759f0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
37KB

MD5
b31f22025557465ea626c957fc2df26b

SHA1
4feb06bb6f660ec9cf53d3a797fd9982945b814f

SHA256
1b41888e78a944c0896469eb89af68f9f0a7a695f51c94e233afad839dd15f7e

SHA512
e2f0596313c91b0251b4bd0d3a040e7796a64f95b3b5f6ee3693a6f115e538b7b59f742b2cd8ac0e7fea30c42efdb31f26db537773145ef0dad079194225ee2c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
09bd92766115f378ef7506e0c79e1f31

SHA1
5661e61925c950d0d956f04c8958422a58555e56

SHA256
666ade594089dd5073e4454704fb3399d45c7eea2afbbf7877ecd3d263917170

SHA512
89e63c65a2b71af2883d7cb4644e51c592ace950b36707da46c864caa05e5ebd24fec08dff734fb835904029ef81e0178b13a9baeffbabc5224617f04df798af

Download Submit
memory/2668-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2668-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download