d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 03:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
Size

65KB
MD5

ca93e1528023a112bbc5825a16d1353c
SHA1

eb54f7609f3216378591240ad734b99f4ad367b2
SHA256

d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c
SHA512

87ac320cacf7619c9db69fdf6e3b41b94ce1ac8359b921576b82a908e21e93b614897f49e63bcdf0eabcd1913ebf66ff4eebb5af0073f711869134d88ee843a8
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjSEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rN:V7Zf/FAxTWJogqwGoDe6jwc

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/files/0x00020000000104f5-6.dat	upx
behavioral1/memory/1820-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jre7\lib\zi\PST8PDT.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe

C:\Users\Admin\AppData\Local\Temp\d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe
"C:\Users\Admin\AppData\Local\Temp\d413eb50c6e4552ba37d2c66fef526589457b4e9ffb6d2c664bab94c6400ca2c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
65KB

MD5
d4c857ada7331cfbbb2e77ddcbf0b263

SHA1
6f469a9d5dbc15c62bf3dc45edb87ce6359652c1

SHA256
b2788b974719770e2e7c2c5bb6fed81016978d2f38ddb7cbe8d321ceb84f6de5

SHA512
42379b603bef02c931fa1e64156a7dca6a33bf3742275f2e1bea4a2e78bd8a50735c7bbe68043e945a840881cb7f5f13726adcaa3fa7cebd5817b8cb93c6aa4c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
74KB

MD5
a24a294dc4a172875b15b8f05eae21d7

SHA1
9ace8006cb4fd012fb1d5bdf5ea9e29e5e35db00

SHA256
3f9706cc40f154c31a1aae221ed9cfa23b68622deb6cb9c7c8086b7e247e3705

SHA512
17cbcd5f11493c3b8ea5733f57af041636582e98d869d84cc34feba17d3585e4b037d6598d2ad1cba85e1373d5da4322138cff3e2d602a28f9d11b6a67f9f43d

Download Submit
memory/1820-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1820-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download