9b6c0062b78be72d1d23faabdd2b1e71461937cf53c37f22a0b07d731660b430

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89c696f3aa7a6f44b948049a8208f060N.exe
Size

55KB
MD5

89c696f3aa7a6f44b948049a8208f060
SHA1

ebb90a62499a4634acc37816072038acd0538f1d
SHA256

9b6c0062b78be72d1d23faabdd2b1e71461937cf53c37f22a0b07d731660b430
SHA512

808efdda51f21c5bb61457cf72c3574035194be19c29573f78d05ce40ebd67fe04a8419c148f905b789f2aee7551314ac0b48cfd3d263ffe2a955eb0c910edfc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJy:V7Zf/FAxTWoJJZENTNyoKIKMk

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2496-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00090000000120fb-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2496-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\management\management.properties.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	89c696f3aa7a6f44b948049a8208f060N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp	89c696f3aa7a6f44b948049a8208f060N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89c696f3aa7a6f44b948049a8208f060N.exe

C:\Users\Admin\AppData\Local\Temp\89c696f3aa7a6f44b948049a8208f060N.exe
"C:\Users\Admin\AppData\Local\Temp\89c696f3aa7a6f44b948049a8208f060N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
55KB

MD5
9610c8a73efb6832ef9f1cbe2995c26d

SHA1
8fb9c7fbc1b6782b3558e69f3922ee281e78b080

SHA256
1ec3886331de7e19bef7d8498c8dea16891e7aef1dc8f3a1de2c5eed62e5004b

SHA512
327df631bde5d736a0b78b99365c70e0409ca57bd3dfb7a51218932162c834c3c6cbe9f1dcceadb0c6f1a06dde98543b1f3e22c55b95230a939c5f66333d5a1a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
64KB

MD5
6d335a390c7b74fd3b52325b6d78cdf7

SHA1
f091d536b802a58aabbd4f97a819e2c078920b5c

SHA256
47399f4137673801b27b30c96886ab9ed9802b0c50f63bc2e4e6873580892d9e

SHA512
db16ea0b7727c7f88871d72848e15b2eec0eeed93a0f2c09078988a9713361717d6c1fb4152a286b48393ba35f973fe8755ff902e03d1725ac93376d05de4d0a

Download Submit
memory/2496-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2496-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download