1200a049c7661c65c8abbcd0ca7dc6b3afb2d760625aa97c3fc0c8b41bdd5954

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 08:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e90ab5ef6f98bde273d4cf3463fd30N.exe
Size

66KB
MD5

39e90ab5ef6f98bde273d4cf3463fd30
SHA1

146cccc1314f748b1ebc3338245074796487e543
SHA256

1200a049c7661c65c8abbcd0ca7dc6b3afb2d760625aa97c3fc0c8b41bdd5954
SHA512

1e5a691b5eb3a18e10e389e5c0b840245d91286bfb8c70fb0cd90869db779839c04903b7ca28d712b3547eed5a9dd6e6e946c357c6ac3f1958e7ba3fb691b3c0
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzZ:CTWn1++PJHJXA/OsIZfzc3/Q8zxY5a8e

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2920) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0063000000011c27-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/3064-72-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\GroupExpand.m4a.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\security\cacerts.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp	39e90ab5ef6f98bde273d4cf3463fd30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39e90ab5ef6f98bde273d4cf3463fd30N.exe

C:\Users\Admin\AppData\Local\Temp\39e90ab5ef6f98bde273d4cf3463fd30N.exe
"C:\Users\Admin\AppData\Local\Temp\39e90ab5ef6f98bde273d4cf3463fd30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
66KB

MD5
96479e8d64ca82bc19bb0ed483659918

SHA1
a61997993bafa7adac0e988012e65c43ea750eb6

SHA256
b2744ad30e15c180141252bc45ebe1c5cabb88febf634c002a55f0da12846d81

SHA512
f472752bc2baf127e97ffd3d07b895966d0dc341ad548f77021541a5896f650f8cc254930a8e9ec173e44cbc5cde0295b087e4710a887b5cc20cf615acf37d73

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
75KB

MD5
b433d088844a58e465278f199e864985

SHA1
a12837a9b87990d11793c205e3727ba715694d1e

SHA256
08076d9a3b37937ca49882fb7ead9e49ff269a673df1da5f066e6bcd8a029878

SHA512
09a8583bd8b10b33daa104a930d561c57ef0213469be84122538a244a200453c352b277b9fd12fef63f455eb8979f3f6612f876a428c4dabeaea5dd42a22e283

Download Submit
memory/3064-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3064-72-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download