5bd74eafb961341b0d4ea1d30833478921544ea3838e240c2c47dc74e478aedb

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282eeb96717802c6dbaaa744654849c0N.exe
Size

26KB
MD5

282eeb96717802c6dbaaa744654849c0
SHA1

5fde9e6d117e436a29c8786cf4fcb9d731e5828a
SHA256

5bd74eafb961341b0d4ea1d30833478921544ea3838e240c2c47dc74e478aedb
SHA512

141bf8649e06e322d90b85248d84e3831671965e84e79eef5c6192640854764174d1f6ff641f27e6ffe715bcc959f17fcdadadaf71632e5e737e828d85cdc4b2
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9dEjl:kBT37CPKKdJJ1EXBwzEXBwdcMcI9dEjl

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3406) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000800000001211b-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/1560-71-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\meta-index.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\README.html.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\flavormap.properties.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\bin\eula.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\security\local_policy.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\bin\splashscreen.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp	282eeb96717802c6dbaaa744654849c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp	282eeb96717802c6dbaaa744654849c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	282eeb96717802c6dbaaa744654849c0N.exe

C:\Users\Admin\AppData\Local\Temp\282eeb96717802c6dbaaa744654849c0N.exe
"C:\Users\Admin\AppData\Local\Temp\282eeb96717802c6dbaaa744654849c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
27KB

MD5
6c0bc30fc4e29f5eddf021e34181cdc1

SHA1
fc00416aade92407f1044173631462cc957dbe53

SHA256
6b43409c49eb02925c3b6098a08267d09007a877e8e699170d5555b07f9e4d1f

SHA512
d9227175e4629133803fe722b35370f26f852a14f904f7a34c5955520fc25e4b5d90e5d7b1d2bc851da67a097ca6534ce13792f81457cb5e5d0a9bc722480887

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
36KB

MD5
6af99b818e84d8df2baca9ba9f5f7ace

SHA1
b0a1abc36c3b2c89b76f087831b347078fed79da

SHA256
b89139af0a3de581611db8679bfdd5ec16097456ed54b5861fa70a0597451303

SHA512
f4ffeab14f89c6f075442e11a14efb7880826e18c171c24ad2c9d92950862c0f187d2f534929a51f9abfe8058498dffa9a2fb6117973d95415ce38e367f60cfb

Download Submit
memory/1560-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1560-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download