2b339fd3cf5d82a6fed1a68aaaa8237a07e71288b6916abfd154bbf4bf725b4e

Analysis

max time kernel
118s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c06a5558d95f4a5ca91fd483320ef80N.exe
Size

67KB
MD5

3c06a5558d95f4a5ca91fd483320ef80
SHA1

3538a296018ebcf558f2517b0b27baf9b327127f
SHA256

2b339fd3cf5d82a6fed1a68aaaa8237a07e71288b6916abfd154bbf4bf725b4e
SHA512

b64193e1730a52fa5b13a6e2df75c715bf352f26dfbdf41f466e40ac9dcf0839d58638955e2b7318041f006b99c744270fc264206f357fc1fc85c80d6ccb8db2
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiFDFCXXT:V7Zf/FAxTWoJJ7TTQoQFDFCXXT

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a0000000120d6-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2336-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\logging.properties.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\bin\libxml2.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\security\java.security.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DenyImport.search-ms.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp	3c06a5558d95f4a5ca91fd483320ef80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c06a5558d95f4a5ca91fd483320ef80N.exe

C:\Users\Admin\AppData\Local\Temp\3c06a5558d95f4a5ca91fd483320ef80N.exe
"C:\Users\Admin\AppData\Local\Temp\3c06a5558d95f4a5ca91fd483320ef80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
68KB

MD5
319aa1cecc05753dd7983a5c5a415a82

SHA1
c0a4a2f2cd3156dfd3f4805e852f78c0a095f74f

SHA256
8f95d5fb71938868d07b8122f284a70baf452ba62d2e8f57121f863245541d81

SHA512
624cf7408f39353c82b1925f85e3bc378074469d511ccd9a9a4d341c4423e560edb76a6774f25326b3dedbfb44b63a41b1ee5f52606ad97950fccacb3a30a3e0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
76KB

MD5
7619c2cc142eea28ce41b0c4925e8121

SHA1
58f09f6a405f6710ed13ad22f7d5b274c74401dd

SHA256
98f2535fe1fb22e707237f4f1dc94abee8174244e8f61f320cdb165ac2e847f4

SHA512
07b1930242ed2f600b3a27e145595be6379b4704e316977586e49a42d0dbb2969ea70d0596490915b06ba208c6c42a2f7498f64b1c7cf4846025dc942b73ead7

Download Submit
memory/2336-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2336-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download