040d9d1b852babb989a666876605cbf8e56e3bade18fa1da874bb89548888d4c

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438789ffa009e632098f1affe8eccda0N.exe
Size

42KB
MD5

438789ffa009e632098f1affe8eccda0
SHA1

ec57ba466d82ce4cc97ec2ba63b32f9483344d92
SHA256

040d9d1b852babb989a666876605cbf8e56e3bade18fa1da874bb89548888d4c
SHA512

4c1f9bcaf2d100461839ab6d2e78d1c2318227eb7aabcc93d94b4674f3d40a666c60a45ed55c6e5a8f6bd3c7652c7b637e58f451ec22d82b14ddfac26ed90083
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKvhWSwSKV0S:CTW7JJZENTNyoKIKMSwSKWS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2300-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\content-types.properties.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\axvlc.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cayman.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\UCT.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp	438789ffa009e632098f1affe8eccda0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp	438789ffa009e632098f1affe8eccda0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	438789ffa009e632098f1affe8eccda0N.exe

C:\Users\Admin\AppData\Local\Temp\438789ffa009e632098f1affe8eccda0N.exe
"C:\Users\Admin\AppData\Local\Temp\438789ffa009e632098f1affe8eccda0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
42KB

MD5
8cece9b713e5e3b6482457012ed4bdf6

SHA1
868ab91c60000357824b19cc08e1bc95ccbe2c41

SHA256
60b86cdd48f1b008e870345930c4f58fc7785554101ce3b70aec67c0c84bea3d

SHA512
1799cb098bb8fa815a49a6e97f824bb6a6924e299a3f91712e82c90823c6ce579a9af59ba3d32354de1b9f8aeffc333f33bbe5fe2e7902ad851ac6ae92bb8820

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
93a1d85b07d461240a1893c22f5ac5f7

SHA1
41d5fc1be2454d8d087d22febf34edc1035e9578

SHA256
2d71bf7e57b93605cee906110f0f70c8bf3fad17a73f0ba0ce3cc1d5969f00fc

SHA512
c1abef8e1781d830070026cdb759137929d5233350d8041e85c5093277f9c100a1f89aef3af9ca264f772b141b3189db23015b538b9386fdfd7ac246e32fa961

Download Submit
memory/2300-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2300-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download