8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
Size

29KB
MD5

165f5d01d3edf71ad23c073fc795f58d
SHA1

528b3aee9288f5022c886c9184cdd514fc428cf4
SHA256

8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a
SHA512

98eb0e6ac9ebd45118f2789e3b14d8dbe4ab9f8d9d2777c0c3346715c51f4b9a389d793064a6cad01b29203cafada94260e7f8509d9c1ce68567b0e668be7985
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyQYJEaEEI:CTW7JJZENTNyQYJEaEEI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3468) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/2856-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\bin\awt.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\desktop.ini.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Microsoft Office\Office14\Custom.propdesc.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\TestSplit.raw.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe

C:\Users\Admin\AppData\Local\Temp\8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe
"C:\Users\Admin\AppData\Local\Temp\8f1ba8b0d63202064a7a0290e5e4fcfca9f95f063d31b026cdc616929aa0c47a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
29KB

MD5
a1a3e0a6b34658671e4d6de12904fc04

SHA1
aab36a95f950f04fcb38b1c8684e67e3dfe8f291

SHA256
4b351ac13b87b2070b62e661ea8b3b617d98889bc93d4ffb36bddd865a6d3f14

SHA512
9f8f5facd652dfc76304cc6aeb1505b72914bd9160747b37c449595b197e713ab4fbe8f694374a2297e8486a17667d40d1b462c1ff21a24af6b644ddf26fe3b4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
38KB

MD5
736fda27d2e37a57865d8b8866dbc067

SHA1
ba708488d3cc58f87847ab63139fa98be7d31a2b

SHA256
d0d4500df767fca8c2e02bbf440e01acd3c13ffd0d21c618d7df454b5167cfa0

SHA512
b6340101d893e12012dcefd75e32663778b29c7ef7e0b3548edde16d4e8d19f273698e9ae21c01803a79a49e9ce1d76582db3c41e318e40e5db4014a8388996b

Download Submit
memory/2856-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2856-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download