006c818d1d9ac6d7057e98fce9d9d5940cc3b0ef8e16d295f335e04a492d9091

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3636877721e13f79568c89f06840b2b0N.exe
Size

35KB
MD5

3636877721e13f79568c89f06840b2b0
SHA1

594a1218a69895f2a702831f34a5c14567964ecb
SHA256

006c818d1d9ac6d7057e98fce9d9d5940cc3b0ef8e16d295f335e04a492d9091
SHA512

f6d3dbe7cafa5eb1ad90882f61537303512e9c59ec9bf4f498218495cddd626a9e3277bc1e443b60d2a4d2d7a2da8442892911adc42c34f426a308c3dd2cda0d
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mF09Ub9US5AJx05AJxo:CTW7JJZENTNyl2Sm0mSWbW2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3451) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001227f-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/1528-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\PingMount.MOD.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll.tmp	3636877721e13f79568c89f06840b2b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3636877721e13f79568c89f06840b2b0N.exe

C:\Users\Admin\AppData\Local\Temp\3636877721e13f79568c89f06840b2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3636877721e13f79568c89f06840b2b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
36KB

MD5
5d3c2fc54d51689ebdbe9069625147d7

SHA1
de15158e55f99fe52f696e5221b55e133a52ee66

SHA256
7ed54716610c759925d559a6f293cf157653fbf9a98741a233e2c667d7bc0946

SHA512
d3899bc01064d712da79f8a75f39c84e1bf7f8e20a3733c4379aee6bb168e1b7ee7ff854e9a5177b9341d036743423e157b41f721c835292ceea72607d56c414

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
45KB

MD5
8a7007b13cd7a106006b8399e71db5c9

SHA1
982ae3eed35b2e615a859218216349336ac50de2

SHA256
05f3b659332366fbf74efeca263ea2ccb89d6c4af10d677fe9377b39bcabace8

SHA512
ff61e43b7388b714a0a0e544ebbb71ee30857af1712ae4b33ceabbe25fe366ff9186cd95a66f1570aa07529d5578a58466213d49271d0934af7458ebaf4cac1d

Download Submit
memory/1528-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1528-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download