42070bf9ef37571c12244c1509c58c6cd30d9ad91e6262572fe0607a074e25c5

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21388e2d9059a00144b568bea594d1f0N.exe
Size

90KB
MD5

21388e2d9059a00144b568bea594d1f0
SHA1

e2a0398b0b773e4a3b3dc70e4fd67bfc0b976b73
SHA256

42070bf9ef37571c12244c1509c58c6cd30d9ad91e6262572fe0607a074e25c5
SHA512

7ef70385f76cf7606a916c37e0e6ccde61ac27a5d393bb6610744f41db44c4da66b821862a2d7436f912515675bbc4ad906f11d9a289505eaea0c3b12d8f0b0f
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGK5:fnyiQSohsUsUKC5

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3019) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a00000001227c-2.dat	upx
behavioral1/files/0x0002000000010489-6.dat	upx
behavioral1/memory/2220-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\bin\java_crw_demo.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp	21388e2d9059a00144b568bea594d1f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp	21388e2d9059a00144b568bea594d1f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21388e2d9059a00144b568bea594d1f0N.exe

C:\Users\Admin\AppData\Local\Temp\21388e2d9059a00144b568bea594d1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\21388e2d9059a00144b568bea594d1f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini.tmp

Filesize
90KB

MD5
3e15cfdd6b19bd4b2fdfc36ebf66323b

SHA1
f51e24dbd6e442c7778a9dd29e884339cf108443

SHA256
754cb2242041996196753ea5bf509af32baebb038f2c37352582ad8406cbcee5

SHA512
c0ccc49b531c357fa0978d23cf92cb631aaebfa2cfce6d01e7ecb22e1b0836f75760a3aced639d68afcb09d6c63d64a720f4ea34868088787b1037cb60cb21a4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
99KB

MD5
41dac06f87f11d86fcb4610579fe28a3

SHA1
ba8091b5ecb2db4a0860260fc79ac56eb5969f83

SHA256
613302ee13b800d830bc9271565caefb7d17189007cc992a5bf91f2d4cea7e97

SHA512
35901ca1ddc8f5978bc97d094c33dd0282d05d9d533ab4ad4b435f6326124e12e12f310e2b0663c5d4326892e92c87f7457000b6fa806dfc84aa89cb2195f57d

Download Submit
memory/2220-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download