f486564239441eeb454c3d4c918df81f7613080220c31b5d1cd495d3c28ba8ae

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b97584c82c862a25aa76e658a621c0N.exe
Size

29KB
MD5

a2b97584c82c862a25aa76e658a621c0
SHA1

54da3dd6bc7a48b79a989705418efad20da9185e
SHA256

f486564239441eeb454c3d4c918df81f7613080220c31b5d1cd495d3c28ba8ae
SHA512

e83a5e98515dc0a4a1d009ba56412bd6e0b34bfdaba74da529cd53123c066269961ab9ab32cf8c644ff3e07e40ff0770b57148d1347e27684341ce6c70bcbd8b
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI99ui1xDui1x/:CTW7JJ7T/F/Fz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a0000000120fa-2.dat	upx
behavioral1/files/0x00020000000104f5-6.dat	upx
behavioral1/memory/2704-63-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages.properties.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jre7\bin\ssv.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	a2b97584c82c862a25aa76e658a621c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	a2b97584c82c862a25aa76e658a621c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b97584c82c862a25aa76e658a621c0N.exe

C:\Users\Admin\AppData\Local\Temp\a2b97584c82c862a25aa76e658a621c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2b97584c82c862a25aa76e658a621c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
29KB

MD5
ef4e7bc9a38b7ed6e2d9e8e5916f9993

SHA1
c49ad7a3242e9a7c19786e7f2fdac6211c8c5333

SHA256
df556accd6d444d95aa9996affe1d3c011595efc92c2bbeb2a30b833c83dd883

SHA512
9f6dab59d66e5adefe08f0e106d7d631a9edc2cdf7c48468b4b064c97636f7393593266629a508d0380549e492afecc2bc354735ce017a53fab721d231a7fbe0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
38KB

MD5
158ee950496ceae76a10b6f84af98349

SHA1
c15f95dd237271d5c28848a0bda4972d4699b41e

SHA256
31aec38751afe16fdeb73e21b3e0982b50593f9533c0d7c50b35d9172d305475

SHA512
159028efe3b9fee0756c66359f1a282e7e800fd64eff161cad5fe3853c118b1fd95bd6edfc1a034178f3d8e3308b494c542813f5d62390952d39b0f96762afaa

Download Submit
memory/2704-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2704-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download