29bb1b6879975ee5bc7fe659a02f9d73f57d2a1c889b808aace3e38a85458ae6

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c71836b42b863b16bc24c2d89c781cf0N.exe
Size

42KB
MD5

c71836b42b863b16bc24c2d89c781cf0
SHA1

e7b2a1d5567fab4f4aaea76e2123927c3ac40f4b
SHA256

29bb1b6879975ee5bc7fe659a02f9d73f57d2a1c889b808aace3e38a85458ae6
SHA512

37a457f9561ecc61f0e7dc22974b9db933477de2164f73e7cf4425d2ce213ed28cb03fa23df4f35e3f8a96635d92fd19784816e8aba991a95a65dc03b82c2532
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiWkjktJwxJw6:CTW7JJ7TTQoQWkjktJwxJw6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3378) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0005000000011c2f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2444-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\DVD Maker\Pipeline.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\lib\javaws.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	c71836b42b863b16bc24c2d89c781cf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71836b42b863b16bc24c2d89c781cf0N.exe

C:\Users\Admin\AppData\Local\Temp\c71836b42b863b16bc24c2d89c781cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\c71836b42b863b16bc24c2d89c781cf0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
42KB

MD5
eee3966eb0581ff32b5dd7f15c96b01f

SHA1
fce97b4203d7a8f405572a110fd4eb4b0e76a8f8

SHA256
28b77aca46ff98b3d80a5696b4f242f31d37b8bfa38a823da2926cd5372b8008

SHA512
88787fa813dfc704b08f500053ef0f777160383031be6d2a6f859281556126ed4a18980144a1efefddac9de2ac455ee53a65747212b07d19527337138c8bb5ce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
004afa768d12650512b4c8e49674939e

SHA1
727faed3163e29603e9e3d9dba95aaac5e1e2ff5

SHA256
4c249a1816a35fc9287df1006bebd22c03af67dbdac151f1629ae2b32d2ddc3d

SHA512
c9c7786157c2c8a62cd8890d546302b87bb32d051ecf1abe453aef9baa5566eab3e8e1cd74dc6db8377d74e486d041b8e8c9438baf7f339f98d3a6bc9fe2bf3a

Download Submit
memory/2444-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2444-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download