321a3d99805bad39358f205b6a6384a67ee775be5a4d4c6b601faea89a83a86e

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef33cca6c657b0841236c1cf3157c8f0N.exe
Size

54KB
MD5

ef33cca6c657b0841236c1cf3157c8f0
SHA1

17ef73bf2e2df47a7dd6fa990e8de74565744a00
SHA256

321a3d99805bad39358f205b6a6384a67ee775be5a4d4c6b601faea89a83a86e
SHA512

cde97df4550e0515cfa2a30ac541a1ac4baeddf2680f168fa7407e3b8bee00983153eae684e58e893a2713e5e0356f0daa5d0bc895c8a46af836ce95b73d255d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9bJSsJSCQZbQZw:V7Zf/FAxTWoJJ7TFJSsJSBcw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3419) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0006000000012118-2.dat	upx
behavioral1/files/0x0002000000010622-6.dat	upx
behavioral1/memory/3000-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jre7\bin\jaas_nt.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\BlockOpen.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	ef33cca6c657b0841236c1cf3157c8f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef33cca6c657b0841236c1cf3157c8f0N.exe

C:\Users\Admin\AppData\Local\Temp\ef33cca6c657b0841236c1cf3157c8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ef33cca6c657b0841236c1cf3157c8f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
55KB

MD5
22938899df799ecb737cab144eb0abb5

SHA1
3f0cd4ef7f3212d61ab43e2b4a71970677e4c6e6

SHA256
c141011a4e23ed61cd43585437f73911da98cee55d47ceb5a7fd4b7fb4390a74

SHA512
393d78e67a5f1216be7de307ad00ba86a261f8da754648c19386bc2f5485d258257cfc18cadd034c492447254f3f7bd3177bec809d8f56d2bc6d6cdee602decb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
64KB

MD5
37179079dba153f93a690607ebfd23dd

SHA1
5c981006a9b56866afd9e9c3460b627d0ddc5fb9

SHA256
613521fe5a224a84631c3089b37607e2234d5153497772c85ef35b48403e7f6f

SHA512
4e1961a5e237909a1f426a5ded20aa3b2b4c0d7b17e61f9c768be4dc17dc64c5707bf477379bbd1cff77fa7ecb9d9f24ac4d00f0efe2d73cd1583a28bf3dcb04

Download Submit
memory/3000-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3000-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download