2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
Size

48KB
MD5

1c6454eae1b9c041d41332fc9c27de92
SHA1

277388dc0c7b76f2a20dd01467f1b53e1059dc58
SHA256

2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303
SHA512

8079b8ccd9690c9c404611b5bb9391cadba27b56ea99f4221015b61839c150e124e905e01d86272ad85cb54621cac33ac372b3a54922a12ef10457026e8605e0
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI98j:V7Zf/FAxTWoJJ7Ta

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3785) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2296-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\security\java.policy.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Toronto.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\InvokeTrace.AAC.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.tmp	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe

C:\Users\Admin\AppData\Local\Temp\2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe
"C:\Users\Admin\AppData\Local\Temp\2171fef7d1d6427a9d710e2e82e485bb3c9f0c098801aca1ae592d2849efc303.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
48KB

MD5
546ebedb0a6bb9f42835bb6470458417

SHA1
41268c4ca74689d4f504e832f7fbdf9f0c466369

SHA256
25b45b8bf1d520095fd31acbf570ee22e05ba895a0c09c621c80a1c302e8ba16

SHA512
3b76af73012dfb93ba222877b25919ad0fcaa046ad5c80a2cdbecbd7681208091a15afd9a4f2d9ebf8cace6439bcfcd2266e8ea58ce78e40d9cd7c6e6fd11cb1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
57KB

MD5
8d6ed4ea9a3edea4553832984a2699b2

SHA1
234edb9e82ecd51b8ca46110f29df2a375921496

SHA256
629bd361465c1b7aa2c27fba2516a8303baa8e2d0c4f3a4fe9b42c358e56870b

SHA512
a8c4c982761564f367e575c0e271ac99f258ceb325c4bfa7e2fc6f403874734aac9e8083ec2f042984212b0cf7e2e0ca6155d98a3d62adbdfeca9c0542c3f2a7

Download Submit
memory/2296-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2296-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download