a7ad3fe084bcb0922d967a8154cc7eab8e03791df69475153a0d3f65f78eb26e

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23db8503f4c62884e3718d1a162efef0N.exe
Size

37KB
MD5

23db8503f4c62884e3718d1a162efef0
SHA1

e2cdf5e892beffe1ceee7e4543e22e6550f448d5
SHA256

a7ad3fe084bcb0922d967a8154cc7eab8e03791df69475153a0d3f65f78eb26e
SHA512

407ae4d1f7153309ebd2557b8a904e37ef1dac9ae3f11f99982467754efb68d96306c3a00d37d43a717bd9ae70c8045397ad7740a57014d369c656e8b68d1f96
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9cGsGJK16lj3Ai1xQ6lj3Ai1xB:CTW7JJ7TyGsGJK16lbE6lbl

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b000000012282-2.dat	upx
behavioral1/files/0x0002000000010541-6.dat	upx
behavioral1/memory/3052-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Havana.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\EnableStop.mp2v.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\bin\sunec.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunec.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\bin\unpack.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Halifax.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	23db8503f4c62884e3718d1a162efef0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp	23db8503f4c62884e3718d1a162efef0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23db8503f4c62884e3718d1a162efef0N.exe

C:\Users\Admin\AppData\Local\Temp\23db8503f4c62884e3718d1a162efef0N.exe
"C:\Users\Admin\AppData\Local\Temp\23db8503f4c62884e3718d1a162efef0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
38KB

MD5
51cce1616edbe4f19e2efa6183082c3c

SHA1
428f97038f87a1ad7c0272795fb1b1875c9c43f0

SHA256
317f0406e30cb9efeb2f31c0e2ce2bff04bbb4b25c93d04ffde65611ba69664b

SHA512
0f4fa8cdbdf732e2189f5e7abb4b2ce95b6f3cc0e046b2e27d17f1695758254aa3b56f37b4345ee47af8c6a60d9b09396de462ee7ee749a84b4aeee1503953c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
3132e246ee952747ec781886fa12ea5f

SHA1
a06b2ee4814fb4714f213d322fba30508721648f

SHA256
41640f259f80d3905aab60834bbb2c74fef73ce5a19cea2a39a0fbda0042bcce

SHA512
49b18ae10b9cfdd27e3405a1551f7f72c29307cb4698f1cd27da539b23dcdbc567332a49ccda248092dbb170ee1aa765d9cf6765b804a7a70c5ea7c4528ca527

Download Submit
memory/3052-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3052-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download