57bcdf80a20fb3a5bf814019f5f13faefd21e5e7481c204ae6f3b16e8a0f4132

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0143b5fcfb260b6a970037150a6f90N.exe
Size

42KB
MD5

8d0143b5fcfb260b6a970037150a6f90
SHA1

7c0d9c1107f175e1680d26f02185473e16f469ed
SHA256

57bcdf80a20fb3a5bf814019f5f13faefd21e5e7481c204ae6f3b16e8a0f4132
SHA512

c1158f6539dec0861205721e6a50b285b9799fb317155b2e6194675b5e4b426a9180b3f613ecfc65db0a2ba0f0da66e8ad279809da271c6d56beed544d0d6cb0
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0m+s2BGUG3oxoYM2M11Y:CTW7JJZENTNyl2Sm0mKX

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3246) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/1796-71-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jre7\Welcome.html.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	8d0143b5fcfb260b6a970037150a6f90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d0143b5fcfb260b6a970037150a6f90N.exe

C:\Users\Admin\AppData\Local\Temp\8d0143b5fcfb260b6a970037150a6f90N.exe
"C:\Users\Admin\AppData\Local\Temp\8d0143b5fcfb260b6a970037150a6f90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
43KB

MD5
a50ce3c079b251a78e75e5b80545bd71

SHA1
17c7bc068b4ce956a9ddce8271f13718a5ae6e8c

SHA256
ac257a0c1a7ad0898b08b29765ac741d43867867eaf4aa8a6837db876b9002f1

SHA512
4f9e2cadf6159ce2fd163953c78a50abdc0e87225a853516cbb9662fc10ddc96415f30dbb76998a0be1d941e138f542fab976ec9a08fa9d136633cf30dc4300a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
1dc7e501a1e458f42d6d035f4b10efc1

SHA1
717db8b378e125dc3e858d8d6fcb924621ed3943

SHA256
0901b4f4390f707e13306b7efb0f6a9d2a6e82f7c033ad20a9d87852c2be32c5

SHA512
4f05ca3131b519faa37b2f3e8c06d1a834800aeb517ac287cbd639fb882df6e24d6260c8c99648921ca1e8ee11f520a4e1ccafa4ac9cf48dd31de5e5807b0360

Download Submit
memory/1796-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1796-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download