bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
Size

79KB
MD5

b3c657fc11620a05687208fab41e2b57
SHA1

81fb987a864d2e0e65219fb08b80fb619ced2f7f
SHA256

bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05
SHA512

178e87bc4a210fe5dc40e18fad4edb832f9c36be3dd79e55c64911f102abd47d1e556935af34e2119bc928a561c840d2dd5e1574c0338305421afb196176cccf
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJBZBZaOAOIB3jM2jMO/7OSPmtcgmq45/4o:V7Zf/FAxTWoJJB7LD2I2IbSPmugmq4h

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (906) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1944-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012264-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/1944-22-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\ApproveSend.docx.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe

C:\Users\Admin\AppData\Local\Temp\bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe
"C:\Users\Admin\AppData\Local\Temp\bc49a3c646ce2343a9e7ea393a717dc7318606e890a76f4718412a0cb3270b05.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
80KB

MD5
12b9e2bdc20b29fa7fce5f50c64ee618

SHA1
48a25f4b665264c7c47c7a1ca57dda28738e225d

SHA256
b7c5fbd50e3e7b5cda754738a32437d6b442a906550c8d921ff936de7096955a

SHA512
a5a8802df56b67715289f6d93afc7566dcbe9ab4658a86926a375e1f330e57ea577648e1f38edb2ab995e94b5b464329f7f3c9bceb67b58ee74ba8cf6b191d4b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
63a5ac066c889c0547e21ea28844a93d

SHA1
c17d388aec255f0ccd69289fed10fc01efe80be7

SHA256
b3c26cf8d40086f8710f9c290e3e115fffad4eb160672f9a30d53f9014e11fb8

SHA512
94603059764bf9d3ee7fb89e120350addcbfd4da3cb06e6fdbc2ad8840a63df042f4c0d4ceb0decf0b9dad2fcec33a9faa98cc2b6087143d84008913c23206f7

Download Submit
memory/1944-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1944-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download