bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
Size

47KB
MD5

bb13250644f32c9d40ee745f9af3f3c4
SHA1

d1a254ab21db18093098e63cc0baa38036c8731a
SHA256

bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c
SHA512

40cf2f24b11367ec06de32a0aa3224a54b2e22ea36ac4ac9fb5bd68b8346577e82cb6987755a474b24e1e18a9448622d3eb7aa12c1e898fc3136a5b0ad4b03a4
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMdg:CTWUnMdyGdyoIOIX

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3773) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2128-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.dtd.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Mail\wabimp.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jre7\lib\security\blacklist.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.tmp	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe

C:\Users\Admin\AppData\Local\Temp\bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe
"C:\Users\Admin\AppData\Local\Temp\bf9c238fe177bd76a920272033a075f7878d837a004ce656edb9c899989eec4c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
47KB

MD5
ebc90063ffef5ece118bdc1718e28939

SHA1
64ce8b2f9b3d84ef9c50bf7ddbaaf87d540f5361

SHA256
c8f05b3b5db76037a6a8947c334faab44934c067a400f0fc164e988890704d82

SHA512
8f9ae7f47756bd54168f9677cb305cd3ed29383834a57956a1b04e69adee4a7a82697a0aec517a4ae13cac9a482d43507b3f6a0a313350ec9bd9e5936cbfd235

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
56KB

MD5
d1ced60dff4c330ef7438b9091c17f65

SHA1
17ff4a5a0a3d9efc2770cdbb61207bb64872efbb

SHA256
4acf1313862ba1a3d1f8132e6428358674770f1646635ce5ab470c9f15c81eee

SHA512
bdfb6fad1ec2a9705b2dee4c6ad094431ccaad439e0448f0f8ecce43e6e23437b6427f0de138f04f57fcf3a26dd11561e1159fb8f89ee8a6295205500a4ea186

Download Submit
memory/2128-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download