21a5d6348698981927408568ca5243a7cc36d83c053e480e64efe120a122d68c

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e65ebb998c77ec949401380ff3087d0N.exe
Size

49KB
MD5

9e65ebb998c77ec949401380ff3087d0
SHA1

48e79bf4d26f28cd3abeab8582941ef81cde5cca
SHA256

21a5d6348698981927408568ca5243a7cc36d83c053e480e64efe120a122d68c
SHA512

097871e26ca1c5e5dfcd11569327f01be9507854e25efdf1d9094c3c423a9e226f6ddbe92397e3bb52278a7c43eb6ae0d2baabcc44a76621a37d7ec07d0e3957
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9bJSsJSn+r:V7Zf/FAxTWoJJ7TFJSsJSS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (340) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1656-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x005200000000f5ab-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/1656-26-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Pipeline.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Internet Explorer\jsdbgui.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	9e65ebb998c77ec949401380ff3087d0N.exe
File created	C:\Program Files\FormatDisable.eps.tmp	9e65ebb998c77ec949401380ff3087d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e65ebb998c77ec949401380ff3087d0N.exe

C:\Users\Admin\AppData\Local\Temp\9e65ebb998c77ec949401380ff3087d0N.exe
"C:\Users\Admin\AppData\Local\Temp\9e65ebb998c77ec949401380ff3087d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
49KB

MD5
189c8a15f9207c08f1037ba6cd465baa

SHA1
788c2e8c74535d2dd214084f3af342f55bad5b3f

SHA256
0fb6b3def0ecd6ac545ae4ea03b09e917866d05f123c452b160684c1f5ebc1e6

SHA512
4f96bbe308430130e42822120f019470c94b5155ca1fe6c15943dd3805bf1e8903e08d6a8c90eb7051d7d717b7ec3c02aaa112a8ed18e043634c94296f4fa030

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
39ecc5dc6506890db97678554b4489ff

SHA1
22570d5992cd92a29cd49fffc296eeef21ba09ee

SHA256
1979b02496e3d71b4ea0d7b428b9e747bf41e5ee961f28aa031c98be9f59ecac

SHA512
5997572efc5f58b4841d23205565d2dd3cb8720b9dae46e66effa9881fb2f55e8c5d31bec798afa7a54111e0e2d8bc6b804b36e43bb13cb81d6e44b045a01c99

Download Submit
memory/1656-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download