65301a72e6f48e0788a55888e3b2d7a7d81d6cd178723240fd8a6b729768f5c8

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
Size

35KB
MD5

c5b8f3d3287b53dbcd27d9c4a750cb10
SHA1

671ca952567046559e1ebd456da1baf7998a0afa
SHA256

65301a72e6f48e0788a55888e3b2d7a7d81d6cd178723240fd8a6b729768f5c8
SHA512

ad5ea18e9d5f7e415e3da11475d4d8426cf4e0216c3d06e344c0dae7301b0fac79f959b3ea4864c90e2de99713a43e4aab0a5cf3921fa0eb169ced6394118c83
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0m+s2BGUGV:CTW7JJZENTNyl2Sm0mKS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0008000000012117-2.dat	upx
behavioral1/files/0x000200000001067f-6.dat	upx
behavioral1/memory/1744-71-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Makassar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\InstallProtect.aif.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5b8f3d3287b53dbcd27d9c4a750cb10N.exe

C:\Users\Admin\AppData\Local\Temp\c5b8f3d3287b53dbcd27d9c4a750cb10N.exe
"C:\Users\Admin\AppData\Local\Temp\c5b8f3d3287b53dbcd27d9c4a750cb10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
35KB

MD5
18261721e2002a48122927f20ccb579e

SHA1
bf60bf1ae75168a8a38cae8a4a42bb80ff294090

SHA256
56ca15757c4d98c92ebf18b767080749ae9dba92337f9ba919702dc8610bafc9

SHA512
237170c719e9c893accb68a31774f86467f55cd3747124c177027d590103d1465332744f269090e0acee00d0def6d84404bd4b00049fb1899852c4e2572fdcf1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
44KB

MD5
6040367cd84068422aaa2e7bac584e5f

SHA1
554fffb60490055947b59e9b58d5d6440cd64c04

SHA256
3e8c0dbe1767db86bce75d566713fd80820b0ff5a9533f9df22e0e0becc744e2

SHA512
b1dd5131950ef11f7e31bfbc843e074e497a44e545c9cc5e88fcbd99a3bbba69f64f2005cc4d3554ed08b14c409ccdf91f46489f86cde319a91bf2738a72290a

Download Submit
memory/1744-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1744-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download