6f5f96945eb1488c8ed4bad9bc4fc55852a93520a7491568fcb7baa485d1fdd9

Analysis

max time kernel
120s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 13:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b3ade754e009c3bbcae179dfbecc3f0N.exe
Size

89KB
MD5

8b3ade754e009c3bbcae179dfbecc3f0
SHA1

1f8f1a02f28b86278107e67717833b35ab8ca4df
SHA256

6f5f96945eb1488c8ed4bad9bc4fc55852a93520a7491568fcb7baa485d1fdd9
SHA512

b4154aa5a4bab62c79b8ac6a9e959ffbf47700c65413cb9d9466626237958c30434d5a8dd854010154d7a075e549c30051968c6d21d713370621ddd0b24264e5
SSDEEP

1536:V7Zf/FAxTWtnMdyGdyoIOIPwXwRsDTsDa:fnyGnCIOIPwXwRsDTsDa

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1592-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b000000012261-2.dat	upx
behavioral1/files/0x0002000000010480-6.dat	upx
behavioral1/memory/1592-26-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	8b3ade754e009c3bbcae179dfbecc3f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b3ade754e009c3bbcae179dfbecc3f0N.exe

C:\Users\Admin\AppData\Local\Temp\8b3ade754e009c3bbcae179dfbecc3f0N.exe
"C:\Users\Admin\AppData\Local\Temp\8b3ade754e009c3bbcae179dfbecc3f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
89KB

MD5
9514bf03490e2541e709b58cbbab5f0e

SHA1
ee68c59af33bcfaab103b92603d205b849bb615c

SHA256
7f77cac592bf20b0aff6d3a27d049d3c001d7360c3b4b749ed3c416aa3ea4911

SHA512
77a3201506f338c8c924ed5dc9aeff47e8c3b1434b4560292b6db60d62ef655b01774f0b49acda08dd47a4829f8395f3f3e12ec5e92a480a28537c257d54d3e9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
98KB

MD5
c085a0d42ea3a43fd5a2f234c21d8ba4

SHA1
fd5c270c35f7fae4212a024cf8fa9422a2cda23e

SHA256
d3722040b749ba18ad44f5fbabbc7d28744efbbdb6807339f38ebea3f9048546

SHA512
ba82a224a0f5a31f4224f4efa2d9e939bf479c784e01f470705f6bc5758031cfbe06c8fdfa305fbe7dcc199ca5ffde0f740ad46f6578ac79aefd2bf7db09fa6d

Download Submit
memory/1592-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1592-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download