d1b9db6fb4b88860d4ff950a3e6eb7aa832399b69d888db11cc1f9091cdd7cba

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1476ccd8fa70c5b3517296968f6dd100N.exe
Size

58KB
MD5

1476ccd8fa70c5b3517296968f6dd100
SHA1

492435d38f7e8c9bb44e6d916b776fda1eb8b256
SHA256

d1b9db6fb4b88860d4ff950a3e6eb7aa832399b69d888db11cc1f9091cdd7cba
SHA512

2a6cdc74fe95e26117896f9acb40ee2312435f2694ba805c15d4d94e7ada4d27927f78270176ceb33d08c1121e9b84f136ff2c9e207c03592a0f000bf942a205
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJ9:V7Zf/FAxTWoJJZENTNyoKIKMPkG

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3256) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-2.dat	upx
behavioral1/files/0x0002000000010486-6.dat	upx
behavioral1/memory/2416-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Internet Explorer\en-US\eula.rtf.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Thule.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\CopyOpen.mpa.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\COPYING.txt.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	1476ccd8fa70c5b3517296968f6dd100N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1476ccd8fa70c5b3517296968f6dd100N.exe

C:\Users\Admin\AppData\Local\Temp\1476ccd8fa70c5b3517296968f6dd100N.exe
"C:\Users\Admin\AppData\Local\Temp\1476ccd8fa70c5b3517296968f6dd100N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
58KB

MD5
847404c24d4c6673c5e3f06034c325f7

SHA1
23ca3e21578122f79939ff323dd3148c6f58996c

SHA256
62d0b293f0560f4dd374511f7a9bda4bbcf19ce26aa74f17a328ae9c057ae49e

SHA512
309763df04d81a7c67458cf5e78509e144b47bd28e6bb0b39e94ae1efe01561bdf7c014b8197e007067b591cbf44e2d0622e49ea6dc9e729facbc4506441fb18

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
67KB

MD5
d7058103744a6dfda85923cb63cb1def

SHA1
f26961fe8a081e91be27cd9f9da3ea480dbc3d7b

SHA256
6fe055b5023ca596fa182bcaa9573781dac880061dc412b6fe02bdc303aadd0f

SHA512
b8825449600732d65e234c231eb808a01783016a50cf7e81f0c769a342cb71328eb9e23a241db264b67d1613bf25a3b03aec8cf3525b4f04872d9e9fd90ccaf8

Download Submit
memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2416-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download