89115ec35d2bc6f0e02e2003f4fc9a58dc69a66f47da7432b4526f05993968c4

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28e860f4ac9445aa9cdf1401c58d4420N.exe
Size

84KB
MD5

28e860f4ac9445aa9cdf1401c58d4420
SHA1

838be61a0f34e1df475c2a10869a39dbaa5ff629
SHA256

89115ec35d2bc6f0e02e2003f4fc9a58dc69a66f47da7432b4526f05993968c4
SHA512

418615d4a424a9970c21828f709b225fd0584c2b046eda8cb939b87a85339fa0fd40bd17e831e8803f7449fe2eae4af2b5756f3e633bb7d1077d734c9e26d9b6
SSDEEP

768:a7BlpyqaFAK65euBT37CPKKDm7EJJ1EXBwzEXBwdcMcI9SBo7BoABT37CPKKdJJJ:a7ZyqaFAxTWbJJ7TXTW7JJ7TaDvDO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000012268-2.dat	upx
behavioral1/files/0x0002000000010541-6.dat	upx
behavioral1/memory/2196-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\bin\eula.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guyana.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\UninstallPing.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\SyncStop.wm.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	28e860f4ac9445aa9cdf1401c58d4420N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e860f4ac9445aa9cdf1401c58d4420N.exe

C:\Users\Admin\AppData\Local\Temp\28e860f4ac9445aa9cdf1401c58d4420N.exe
"C:\Users\Admin\AppData\Local\Temp\28e860f4ac9445aa9cdf1401c58d4420N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
84KB

MD5
5a2002f767782cb609d38a01ac6fc25a

SHA1
e01e616729994613a72b4946a406eb0b7da4f880

SHA256
d01e9f20700a1eeb64d74285aa9b3ce3f5a75693187377ccd728c233e874fd1c

SHA512
d326b29860c76d08abeb768ec5c796138ee5486f6fd99069262861e6fdc0b40f4c353dc2472f21f07b383ae4bba467d1909ddce05f043ba3b783646ffcd7e866

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
93KB

MD5
43e64997679d63f0d22f2505332196c6

SHA1
2bcf80ac18c98e9e6079fe0b9f9252f0aee471a7

SHA256
db5a6aa271b0674c8f241e7fbcc2f460ae583fc17db7f28dc13a9dcd56dce6fb

SHA512
2424523b76dc66b14e11155f308aafdec97bfaaf79f6ffe8c68a95c3459b6c164f5570afde990474ce4649dc789f2c71522fb60307c164681494f3ed06ebc7ff

Download Submit
memory/2196-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2196-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download