411913cbd6151bc4efd8fa3945e9b624892cf4626f9655cbb1efb98c648bf9ec

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0a396eeb4dc945da685a2e5d16a8cd0N.exe
Size

51KB
MD5

d0a396eeb4dc945da685a2e5d16a8cd0
SHA1

941f7bc910fdce2828e2613fe53311fe753025f4
SHA256

411913cbd6151bc4efd8fa3945e9b624892cf4626f9655cbb1efb98c648bf9ec
SHA512

3a9c6f239d7f13e0b7b4701a0484c8c2d511059dae7a62235174712b361877a4174ebf25235001e1ffbf4f0e75605fb25a15c266329523aed1b8c27d01ef5507
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9GRtfn:V7Zf/FAxTWoJJ7Tofn

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000012284-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/3024-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\bin\jfr.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\lib\security\java.policy.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Managua.tmp	d0a396eeb4dc945da685a2e5d16a8cd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0a396eeb4dc945da685a2e5d16a8cd0N.exe

C:\Users\Admin\AppData\Local\Temp\d0a396eeb4dc945da685a2e5d16a8cd0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a396eeb4dc945da685a2e5d16a8cd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
52KB

MD5
bf775de880dc325c14ef4dc43042a8fc

SHA1
3c915504ba1fc03dcefde3179c0f0015798cc33e

SHA256
04668040aceb8ba4d61194685fc4f17fe41bc77b71db39379317965f8c6a0fdd

SHA512
1fd5d4c974036fc05bf5567f2160e88cbc1ae7d5cf7b840993fb3e326a7139e2ceb1268ecb9dd737ae98604b06c1f3498af2c8bdd510074611d23968e9b1a2cb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
3f46220ae36babc32bc7a6458ea7ea7c

SHA1
5d67635af4019791adecab65eccd816786f614f7

SHA256
cc64f98f39935f9784cdba1202c79782a340cb9eeb74094eb9ee45eafa3dc155

SHA512
05e2fa6c40fc61dd319785c6869365d79f73ea3c328ebb2edc5995b9d59ab09e55c917c84b3306c83c731e3d8600d18043b01c4756ce26ca234ef23f8952679a

Download Submit
memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3024-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download