43ef0fa3dd101cadf7ff73e043837dc6d658a82b40f65fced311795a8c9b347d

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee110e57390b33981e1c1befb3501c0N.exe
Size

30KB
MD5

dee110e57390b33981e1c1befb3501c0
SHA1

9f334a242a9c5fb82ca10f352daba7d0ea0baa93
SHA256

43ef0fa3dd101cadf7ff73e043837dc6d658a82b40f65fced311795a8c9b347d
SHA512

b57c14a7b453294f400693edeba748f3a9218d640cf85eff2642891ff00041560718e78d1824837b651022e64a4b265dbbdf159c8f55ddb366a1ec401d6fb799
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9nxOP+UDpOP+UDJ:CTW7JJ7TrOP+UDpOP+UDJ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00090000000120fb-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2644-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\bin\ssv.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\SplitOpen.ods.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guyana.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jre7\bin\jpeg.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	dee110e57390b33981e1c1befb3501c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.tmp	dee110e57390b33981e1c1befb3501c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dee110e57390b33981e1c1befb3501c0N.exe

C:\Users\Admin\AppData\Local\Temp\dee110e57390b33981e1c1befb3501c0N.exe
"C:\Users\Admin\AppData\Local\Temp\dee110e57390b33981e1c1befb3501c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
30KB

MD5
b838d4a0a71d69e1a26ac8683c6dbd47

SHA1
19d7af50dffcf448616f8b71e37e4211b33fa767

SHA256
7614b5b78787f9c6a7d14d9c848759b8ceaedba6f5b4c053fa6e56683b996186

SHA512
e40c48d9eb5044013a2b22217660692e8e2d8755441a3361f23c19358955db0d52b2f3cad26adc6005b38fb1c9a329405abcd259940b0131d93445be056499e8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
39KB

MD5
10ba1973e72cffe397f2b72b22601f42

SHA1
3bdacde26a6b3dcf0b315f4c05b8b93feb50a47c

SHA256
4444bc933ac07e6ac76d59ce6e708ee13afccb6399ee7e16fd5425c32f56df88

SHA512
5d77a907e88632f7c308cc438ec0dea4beaf510340716d51b062320dcfa9e1dc1775a64df6a28e7215625894325cf54fd29354f2acb02ea3c4eeceac46f98e18

Download Submit
memory/2644-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2644-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download