0c71a663a0a88406c19b46ffe119f1a539c71599c467caba1e951554485f8514

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d2ea55c0b9ea76563e4c6033600800N.exe
Size

59KB
MD5

73d2ea55c0b9ea76563e4c6033600800
SHA1

5058e9c40ac64b3de859380688dd5442674b4832
SHA256

0c71a663a0a88406c19b46ffe119f1a539c71599c467caba1e951554485f8514
SHA512

f0578505e13f7f46cb01438bff68043cb33360695684a0eab2dd9713a3eec377ebd55cc164c560ca9f33eb84d0297042455d95325e8173a8c75a51ca46dd702f
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Ti9Ei9+z/:V7Zf/FAxTWoJJ7TV7R

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3336) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/400-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fc-2.dat	upx
behavioral1/files/0x0003000000010330-6.dat	upx
behavioral1/memory/400-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\OmdProject.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Samara.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nome.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bogota.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.tmp	73d2ea55c0b9ea76563e4c6033600800N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73d2ea55c0b9ea76563e4c6033600800N.exe

C:\Users\Admin\AppData\Local\Temp\73d2ea55c0b9ea76563e4c6033600800N.exe
"C:\Users\Admin\AppData\Local\Temp\73d2ea55c0b9ea76563e4c6033600800N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
59KB

MD5
aeadcf9296da060d7680132f0207d8fa

SHA1
36c51131ee5011efa2f5431bc434efc47bf73179

SHA256
3e767c98d0b9c38e7ff9388e7085f4af979eeebe14e79ec789063d63f7f5fc2e

SHA512
90b900f30ed7c73f87874438700e9793fa29d468b559843e267de10e4bdf145402bdd4e613903bb2ffdde162f23353b4ca5fc0d2eb37811ebb88467bd71de1c9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
68KB

MD5
7ede4a1aa00b40a5bf1a724cadf2141f

SHA1
7ec33434a4bb7f5bd56eefe7f10b0291336c10ec

SHA256
b7ccde696ff3b7d6009ddff72e23db5adee089e52b0d28bb32c6f6dcccaaeb5c

SHA512
e41e9139bd673bed2369a48f4a69dd52daf764c545f0ff6347b176b67585dc77fbd7e7f41368aa66c483061665d48983567e6d514f3b2cac4c2f124b4713ca0f

Download Submit
memory/400-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/400-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download