bdc38bdeb6d9708a69ac1e241d1fc41a3f6d17fb59d77e29372825132f0a9171

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a58d706891941f4c36366c7e78965cb0N.exe
Size

59KB
MD5

a58d706891941f4c36366c7e78965cb0
SHA1

7ef53e70786e51837a2a616ee0b9745f9a177b4e
SHA256

bdc38bdeb6d9708a69ac1e241d1fc41a3f6d17fb59d77e29372825132f0a9171
SHA512

1571d3cf8c20faf057fd04d0eecce23d7971e53c09861457630d2df8501ce8da9bd8b2410d8be2c0aaf65762253cf7116879ae97c7bc4a8550931b311aaccb94
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tirZSZ9:V7Zf/FAxTWoJJ7TTQoQ2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000012102-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/2408-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston.tmp	a58d706891941f4c36366c7e78965cb0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.tmp	a58d706891941f4c36366c7e78965cb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a58d706891941f4c36366c7e78965cb0N.exe

C:\Users\Admin\AppData\Local\Temp\a58d706891941f4c36366c7e78965cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\a58d706891941f4c36366c7e78965cb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
59KB

MD5
c5ba460b0978952583580d6314103b40

SHA1
9052a0bb64ef4c6d3ee3b23a149a943e183432c1

SHA256
20bcdacf379c4af797f16f3a25a45cc1268baceaa9d7981e033da9edda2e67c3

SHA512
c777bd7b008d5195cc3d58919048f9199420dd92632c4df0b24d469a2fec6381947e12ad517e64f3865805bbf5fa9756f2ecb652799754887cf78d3bfd64dc50

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
68KB

MD5
c00a7e4588f922dbca247b1ddca9c2f5

SHA1
58e5aeb7edbd493412f89d86fb571b84ebc0c1fa

SHA256
62c940fd4b50fc9a15ba2530b81f22a741b47da02a3bbc3857527cda62e7b36f

SHA512
7b82df52cb4b21be6b90e451e6924fd08d4287969a6b5d631937d7dc763b0961e7d96a8e27080a1d4787b0d9a2d765b735f40f4f6da178cb10051f752a072153

Download Submit
memory/2408-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2408-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download