f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 04:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
Size

90KB
MD5

a546d4da7ffeb5f31f5a7a9e44b22010
SHA1

e110e832854e42773931fc96ff457dcc355852e7
SHA256

f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4
SHA512

43279c084f90fee2dca01ec30ccf2fda835fe520ac1a8eaca95ad3706434106904576032cf48801e2856fd73ac17745b1eb935fb9ea88305e45ec9b15201f116
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5NKZDLKZDV:fnyiQSox5WDgDV

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012255-2.dat	upx
behavioral1/files/0x0002000000010480-6.dat	upx
behavioral1/memory/2656-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\soniccolorconverter.ax.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Internet Explorer\pdm.dll.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\ExportSuspend.lock.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe

C:\Users\Admin\AppData\Local\Temp\f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe
"C:\Users\Admin\AppData\Local\Temp\f8b2f8244174469bdbfe33707835c03bd6dc0bddb4bbb7908b7224d15468f9b4.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
91KB

MD5
57599faec380ba38c740e9d04f2bd122

SHA1
2520e98abe1a012536f8f7e96629903ce4801d3e

SHA256
ad3ca948d55fdfadc344ed12581ddf700bf7113539fa5a81cc15798fdf100b58

SHA512
fb6a0b9d6839eabdd84d6328fef2eee5f59050cd3842634103c30eca02a63e938778324efdf30dfe0372363196a3da82415669138a2673da5e474a8e863b416c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
100KB

MD5
ac3fbcf84557a0117cc94a7cbb959dbb

SHA1
9b06ad1b726ea9a51b30a0513d9c81b4e6fd5e90

SHA256
6c52ee4342cbf9be670b481eab51a659ff096bb3f147a5ee5d7d2d8b8d0410df

SHA512
f54f655f439386b6aa1865ea78eae6e4c9344f550a13edccd9dfcf2c730e6bca81362c3e305adc7b8276fd9107670bd62e0bed176cf9ffffa5615e908317295a

Download Submit
memory/2656-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download