d7ca6d9d530150fe3a3f645713892515adaaaf74380beaad9afa504130325df5

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946cbd469246c88e78e77c41fdbdc780N.exe
Size

53KB
MD5

946cbd469246c88e78e77c41fdbdc780
SHA1

1f2c1be2117a211ac11e86f123f870486d47d65e
SHA256

d7ca6d9d530150fe3a3f645713892515adaaaf74380beaad9afa504130325df5
SHA512

2c0437f018478b1b6c65f14bc71fb3ae68d1a21432047d354f17ec9a9224f96e2b84ddb8165e575168c83d2953e82844188600018c349d54c9092c30e2bb2693
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMdD:CTWUnMdyGdyoIOIZgv

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3264) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012119-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2516-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\ImportNew.dib.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\bin\awt.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\ChkrRes.dll.mui.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Martinique.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp	946cbd469246c88e78e77c41fdbdc780N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.tmp	946cbd469246c88e78e77c41fdbdc780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946cbd469246c88e78e77c41fdbdc780N.exe

C:\Users\Admin\AppData\Local\Temp\946cbd469246c88e78e77c41fdbdc780N.exe
"C:\Users\Admin\AppData\Local\Temp\946cbd469246c88e78e77c41fdbdc780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
53KB

MD5
e6e6b5a1a21ca1e45ff3a68bb91c8e2c

SHA1
7bf17dd1b4451960d9639323fb6c872da14563ef

SHA256
2a28401356e63068cc5053f106e69a3a962146e3d9aec8f2da32c6834ee469ae

SHA512
55792981f0a458ce65d8e40dba87191685b98e835ab72d499498eeb5da24e32ba5a783b8fa3db8ac47f2b4065a0a846cd6d341636b170ed10134f5bef86931f2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
62KB

MD5
c04f9f4901f5b77866f8aa9515ac9e99

SHA1
309c3f00dd17bc06ff4bd765a55a0964cba58fd6

SHA256
1049a62a717070f1fa66f900454f6a3bfd7708dc9fdf8632afbf24dcae6007ac

SHA512
70e0c9596d1ec37375d7bc4924c2a705bf72247fd927248d53d6ef71b14400cf4e467890188279089176388af7c8576cb5b5100c955093719d77ce168098578d

Download Submit
memory/2516-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2516-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download