39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
Size

85KB
MD5

63c7ae32c9c8eab29dac2dfe8dca40a8
SHA1

18cd9fbbbe3d04b72289ab5ebecb56c54b8d6d65
SHA256

39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b
SHA512

e76b4d01d462ba94ac2ba5c90684b17fc2a4fa266654be7b4f9ea7263e59ca005db19b98628ae8ae12156727a52decd93a8b735399d7bdf147b9a8c3719ee613
SSDEEP

1536:V7Zf/FAxTWoJJ7T2StuSt8TW7JJ7T2StuSt1:fny1a+u+Da+u+1

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3432) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b000000012029-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/2792-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\wordpad.exe.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Sidebar\de-DE\Sidebar.exe.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Windows Journal\JNWDRV.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jre7\lib\accessibility.properties.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Java\jre7\lib\plugin.jar.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe

C:\Users\Admin\AppData\Local\Temp\39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe
"C:\Users\Admin\AppData\Local\Temp\39e7b8f21ee869fa5ab7099710e674ca0a60e79020578fa67365921ec8af130b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
86KB

MD5
7ece63cd6fc80c1687a832970d77b739

SHA1
dbd77548f94ab61ad520bb1c70902e91205da5f5

SHA256
3461c6dab7570aeceea66cbbf9722ff9f09da07e703f5786d78755e70aa29047

SHA512
98276637287e5f02e2398b083925aa01755bc248625a6fb092a7545f384a9ef5dd77adf7c05851a0aca5af625502894f710e0fe2fe54534a4c65a66d6d4ef829

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
95KB

MD5
b820e268ef1ed0b7b8c43c43a487d3b4

SHA1
530c8ecfb24eccb6750b51e532ee40c302e3bd68

SHA256
20ce4a8d5454ac8cf1e28303027c876bae4e7920222f12fbcd81b16dfc509609

SHA512
324b0788b3d1a0c0a09efb8b6475a363337d34eee6b551ea4b06156290ec8c94385450094a1db49994d265c5decc783c7cf5bed87c3dc719706721ea6d4091b8

Download Submit
memory/2792-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2792-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download