32a6a0d561d6ff707ab403a6ef075d96a8521170e4175f7a624fbe212b93430f

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1fe1973a0c6804ece99fcd2920f090N.exe
Size

34KB
MD5

8c1fe1973a0c6804ece99fcd2920f090
SHA1

968989803b785c9bef73934e89a39c7f2491c853
SHA256

32a6a0d561d6ff707ab403a6ef075d96a8521170e4175f7a624fbe212b93430f
SHA512

24984d35d39f6363f3881f8020570bed8daf802417d89be2486d6b84fbff8b709ec509f95addf1dc1bf211fcc7bc67b66852c2a5cea18d54932504c248e88d21
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBaMY10/:CTW7JJZENTBTYk

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3228) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/400-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00070000000120fe-2.dat	upx
behavioral1/files/0x0003000000010330-6.dat	upx
behavioral1/memory/400-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Amman.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Mozilla Firefox\installation_telemetry.json.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\VideoLAN\VLC\libvlc.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.tmp	8c1fe1973a0c6804ece99fcd2920f090N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c1fe1973a0c6804ece99fcd2920f090N.exe

C:\Users\Admin\AppData\Local\Temp\8c1fe1973a0c6804ece99fcd2920f090N.exe
"C:\Users\Admin\AppData\Local\Temp\8c1fe1973a0c6804ece99fcd2920f090N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
34KB

MD5
2d86086bc41529336b05a66d2fb9f4a3

SHA1
7a47d68df73f82f10766bad944f5ef7c96d3d7cc

SHA256
b203bbff9b42be001f87d3e5e69af6ca75087e63e161c6e35bdc90ae1102aeec

SHA512
1688f4ce3e64dee24dfc5c0c6f6ff54ddd14b78190880bf301c5d80c45be818e0fc60a19fd77431a05229e68d8ca3bd3d9ff3f9046eecd83e00ee009d8ae525a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
43KB

MD5
f8f1681d78f08d96467b6e573c979314

SHA1
39125c13c71b3d01f65380c5d3e89146365ad8fe

SHA256
fd0db1dd74826b1f1eab8cc6ae1a9b2d811408b587a4d0d9a5746fea33473d1e

SHA512
f9bb895711108cb67a0cdfbff6f49996f256991df0de1ae641fbdeea9e9cc5628ec7cbf5527f5de2616fbc907aa5b4992e287a875f487a802b3b95a95b87258c

Download Submit
memory/400-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/400-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download