c73a74e02e7a5447471053461c7d98442e56416ae747b3841ce6531f605de6f4

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
Size

152KB
MD5

3ace52cd0bbb1853ab1d76e38b3b3d20
SHA1

1d40e86aedaca8429c0ed640711e96e52110fbfa
SHA256

c73a74e02e7a5447471053461c7d98442e56416ae747b3841ce6531f605de6f4
SHA512

1987856f5f610cd158e7c65301037688042a78f8e80680e93d0e76cc52285b09c67ded1cb49b9d60bdedc3b85ed81d67c36d0d97f1f227005d3c122ce2e28f30
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5a8fTWn1++PJHJXA/OsIZfzc3/Q8O:fnyiQSox5a8rQSox5a83cc

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2780) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2388-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/2388-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\release.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png.tmp	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ace52cd0bbb1853ab1d76e38b3b3d20N.exe

C:\Users\Admin\AppData\Local\Temp\3ace52cd0bbb1853ab1d76e38b3b3d20N.exe
"C:\Users\Admin\AppData\Local\Temp\3ace52cd0bbb1853ab1d76e38b3b3d20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
152KB

MD5
03d761298b5599d4403838989a6c3227

SHA1
cc1a3c0e4bc1a538d9a5ec0d74fb291621527a7a

SHA256
f67edfcf3411b99d5c7ae987e2f7fecf1d7a03e1b80742cac2944d44551f239d

SHA512
494138536232f1d1b0ef0c53a60d9986d354ad7cb212c5ee8179ba07aa4def8c6716399fabd4f14ac964038a969acd76bf29a619f7a170eedaa28558634bfa9a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
161KB

MD5
f124fd5d17b8e1c6b16bd2b589a8ec11

SHA1
48617c76c33a9931190c6957a3c478e71d94da2a

SHA256
4f2b595ab4502dbc33ab63c4a958d1a9ba260cb0859339a5842518ae41202af9

SHA512
9ac6192ab21f63b8632e55c22ba87296b2ee4b41208f0b792cd5c05c96a345224912394319736312729e014ba1e5eeb434523fab46c95e7ef904e716340fc981

Download Submit
memory/2388-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2388-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download