c4bd8a6a5ba2fa5b8247e67ffb1902664225642eac0a21cebc145965e64fc856

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 04:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca226b42d38a747e21571cc09025cbc0N.exe
Size

76KB
MD5

ca226b42d38a747e21571cc09025cbc0
SHA1

313988561ead0b2a179d8c2c25a15d46d044908f
SHA256

c4bd8a6a5ba2fa5b8247e67ffb1902664225642eac0a21cebc145965e64fc856
SHA512

dadac8d9326f84a42fefc66ff6fa95f8e6c5e3a5e75ed2697b0d77d37186b988de17210ee51b93e021a9a95664748998e2568ec5a756e0c18000ba735a0587fc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9woOzOuiJfoOzOuiJ1BT8:V7Zf/FAxTWoJJ7T4MgTW7JJ7T4Mt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3209) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b000000012270-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2072-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp	ca226b42d38a747e21571cc09025cbc0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	ca226b42d38a747e21571cc09025cbc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca226b42d38a747e21571cc09025cbc0N.exe

C:\Users\Admin\AppData\Local\Temp\ca226b42d38a747e21571cc09025cbc0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca226b42d38a747e21571cc09025cbc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
76KB

MD5
ee75a56ef0f6317794156d89c3332105

SHA1
2daf0271b6d2ec0fb77cdd2fc20dae202d7a2332

SHA256
377bc5052fc7ee55c1085416979dc77ff8d65ebe7b5484d0787120694a8e3a98

SHA512
13904563a48fbca88ea86f6f5be0c11f5f96dc2b56868b1c02296463c489545916b113f97dd1aea9c8eed4f700f41dcb02483d0eb6ac998b39f4bc5eb72b1f7f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
85KB

MD5
fb565a8d309a7a7c90e2f4898b195f0b

SHA1
a6b612073a1707a656793b6e1139703fde45d1d6

SHA256
4524b5d0160040582e9d025ebdadaa51a55b37ad7d725d602f131b0f0b3dcf1a

SHA512
ce1b625177f9d72a388d07c7ec5e505a93b1f71d0b148bfaffee76c42d1cf614523c38167786f6a8ae8f8394bd1b28d6b77f17544df7493b0e4b6298afba02cb

Download Submit
memory/2072-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2072-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download