5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
Size

82KB
MD5

6f411750a55df816803f40cb07aa7076
SHA1

783f4ec89cc9fe60830aef2a9c343509fe4c0ad4
SHA256

5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a
SHA512

239790e38da26a96e8ee6f19618314e19186289735030b322c38463048826bc117527de3045946ae73f77024347b5ef0a3af97af88404ec46ce53a5f08c169db
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8IZum0mHXxXgOT2IOT2Lpp:enaypQSo7ZBXxXgOT2IOT2r

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3551) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1676-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012286-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/1676-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Mozilla Firefox\removed-files.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\InvokeSend.TTS.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe

C:\Users\Admin\AppData\Local\Temp\5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe
"C:\Users\Admin\AppData\Local\Temp\5a5a013a7e5f309bbab867d4e606f1d22d948953cdeab8f708fc7ddba105e89a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
82KB

MD5
7b1b1af2af1b7b7c1875c09d380afccc

SHA1
866dbceffcf8316b1408a999509527b48c916e5f

SHA256
3240d1fc05a17aed0c1cccf4eee3bc75fa2dbb54f885b19f2a1c0c4c6ee502cc

SHA512
3db341456bac3dff82f06a6c3e40cd38e87b01ad5d74f87083f0ab9bcf33e60193bd175eadcabeb777850682fd50e48cf0076148a69f9c331181a1b91965c1af

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
91KB

MD5
03e2c5fd544b26c7feeb6079da1ad9ba

SHA1
b19ebc71442b78819e32697b0caa30268b0d5fda

SHA256
8f50c92d60ac69df6a08f9eaa080bd3a6713f7e830abef70fda6d6d088470bbe

SHA512
e1dc756ebe8f10701ce50eb581d8f6f423101b5d90a48e0291028d33e55363215253d6a53d1080cb7e7721f8518dc1c68d7b3c6e86c4c5a9e08b0577f534e961

Download Submit
memory/1676-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1676-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download