f4342be5accba9a321339af0c93235a1d9ff6dd57bfcdd7150dbb8f126bfde86

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f583e048107b37cc9839a3ac3f7e680N.exe
Size

33KB
MD5

9f583e048107b37cc9839a3ac3f7e680
SHA1

780d82bb1cc9dfd7c5a4dab5412635443a9d1ce0
SHA256

f4342be5accba9a321339af0c93235a1d9ff6dd57bfcdd7150dbb8f126bfde86
SHA512

ed7eb08d1f5f4def0f36f1b1581f9bf51c697b2b619f864b40bb232fd05268178126bb0d7a4174a429bc99fe8b279675768763d0605f28253d239980987c8a62
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9VYHIs10YHIs1E:CTW7JJ7TDYHB10YHB1E

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001227b-2.dat	upx
behavioral1/files/0x0002000000010557-6.dat	upx
behavioral1/memory/2620-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\bin\jp2native.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Noronha.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	9f583e048107b37cc9839a3ac3f7e680N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f583e048107b37cc9839a3ac3f7e680N.exe

C:\Users\Admin\AppData\Local\Temp\9f583e048107b37cc9839a3ac3f7e680N.exe
"C:\Users\Admin\AppData\Local\Temp\9f583e048107b37cc9839a3ac3f7e680N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
33KB

MD5
5d18f2544d7235f19d8e6a855c2ad8e6

SHA1
bf22be5318d6f8a23ab4defccc1386e785d940a9

SHA256
03d523ba2eada48e2e530b9fcc39039138b54de0eaaf06442d5321c79e1a4a64

SHA512
f3074f5adb9e759e589b885de8096471f0524f5ee73ee71650f98894b2b35c1369cd4f3b4cdaabe0f7b02d153c88452c67e974c71620d0d055ab209d0ee68ba0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
42KB

MD5
b97eb3210499f0c0c13ca075caa02dca

SHA1
71f1b20a58fdd3fe6545da57d9745c3ef79e7860

SHA256
02935415c52958987e3ecbc659f744ae272a1abe91f20333f6f0d594acf78d3d

SHA512
9a89c49dcd506fca3232f2961cacdd24d6e3fe77daa25002b329353b6de7b6c5ed4b1a6c282fa66039090a78c63f99d26945d77415dfe42cf0ec59e708ca2670

Download Submit
memory/2620-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2620-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download