9ab62910818ea9dd7c54777e4af652521a40c5b996502db61f4f1f0ebc9fda8f

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81804d6ce551a73b38a5e844a8cb2290N.exe
Size

50KB
MD5

81804d6ce551a73b38a5e844a8cb2290
SHA1

b821c18dfa78f50ea87f0ea4f73753a8f7a393c8
SHA256

9ab62910818ea9dd7c54777e4af652521a40c5b996502db61f4f1f0ebc9fda8f
SHA512

2d599404150db8928151b077a07c1a809a93456f43233bb5b5c19ba5579e83b0003c8d5d830fe28af8f4553a13c025fbf2a1fc9ec5cae6a30e40627fd6288525
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9nGcjkK2rvVk//Nyz/VCyz/Vh:CTW7JJ7T7jkKCVk//NypCyph

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2056-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/2056-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\RepairExpand.vssx.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\SuspendFormat.mht.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Microsoft Games\More Games\MoreGames.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp	81804d6ce551a73b38a5e844a8cb2290N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81804d6ce551a73b38a5e844a8cb2290N.exe

C:\Users\Admin\AppData\Local\Temp\81804d6ce551a73b38a5e844a8cb2290N.exe
"C:\Users\Admin\AppData\Local\Temp\81804d6ce551a73b38a5e844a8cb2290N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
50KB

MD5
50518978efb270040903a48edb9c8f98

SHA1
e51514c1fb0463b7ad30843e12ba3b4136cccc87

SHA256
f178a621fccb4ff42e7586cf0e8ed52596d162596f8e35be5ef50ea5abe2b55b

SHA512
f34ae6b0038e8f29e616afdb973733ce8d7c67e354d1041f4b01fd42d8830d45af3540ee3ab3aa22ae0811cf2096afe82d52a8ed79e3aec987a20037a603732d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
59KB

MD5
f7c7c0e93ff3786a6914d33b2e069de1

SHA1
0402c00eee0951c5ffa49c0495bda7381122409e

SHA256
25f2b6caec5df77b25e1b5d5534428a84836a89f2f7633438f54bb358ae334ca

SHA512
30ff9cc6503930ebcd04690632da5769dcfb9897e6c24122d5e8d7a64fad31f3b53cef3365568e8729907b806a7524e2b78586a8df3f81c8c552ab139b1fa672

Download Submit
memory/2056-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2056-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download