f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
Size

100KB
MD5

2894b74c431a90283937f69fd1dc90c4
SHA1

de175f6c4982b964db03f1056a75b252bdf793eb
SHA256

f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9
SHA512

2a8f1d210495c1c76e4f24cfb074d0940713bfa64f0da9b0e05d98214d627f0ac50fd1ab7c6ba1d293d80e35ce60ba0fbae372447e3066a5b860d5bebaf29a5e
SSDEEP

1536:V7Zf/FAxTWoJJ7TTQoQIRUTW7JJ7TTQoQIRh:fny1oRIR7oRIRh

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00090000000120f9-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/3044-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\VideoLAN\VLC\libvlccore.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bogota.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\bin\jdwp.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Media Player\wmpnssci.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css.tmp	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe

C:\Users\Admin\AppData\Local\Temp\f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe
"C:\Users\Admin\AppData\Local\Temp\f5db36cef3cc8011f594e5da0789389e6dfd8cb07de75faac356c5631d865af9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
100KB

MD5
9a4a30086886fb61b93ed6dd1f72a53b

SHA1
28a32c7ecb30d8999e182c46beec8abaadf43056

SHA256
ffc0327306989324d10b5bfdb3da3c1fe5625d94fa64ad2b374e17d3bd11e571

SHA512
18744b9c25e47ddff0d8a3dd2e24fa08f2959bc9e84d1d3799619dd73fc52454b93139b2844d9b5481a558a8001f7b8eec54beb41ffd091fb30092e4583e8fa2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
109KB

MD5
f5d2b8324da11d86c7ce6fec7c314723

SHA1
c40e789d74462257396814af9fc7b8839158f9fb

SHA256
6c3f534c1040b5b760fb9d25cfb89462b557d9f986f27d35b9f36e0074864f59

SHA512
c9efacd269a7fc208bb4a37fb4d708444ad7e097bd7b464f3e55a5cc70a9ca60544f4af2c732239d221cd15b1efff58f7550856661d4e150df83590dd949657e

Download Submit
memory/3044-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download