204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 22:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
Size

94KB
MD5

8a69a22dd6624e13483ce8ef22b5db27
SHA1

9eddff37d10b325e6ce26612153ac6f3bc596be6
SHA256

204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208
SHA512

043bdf18148b8c8b24c5c9afab28e84cca2601a6f780ba3ae3dd4d5341a255ddddd6c272480aae55f091ec6c8dad05c3392baa1ab04d8f31e8ce302c9ec85df5
SSDEEP

1536:V7Zf/FAxTWoJJTU3UytJfO5mdGwmdGATW7JJTU3UytJfO5mdGwmdGFfx:fny1Q0

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000f0000000139a5-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/1752-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\content-types.properties.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\VideoLAN\VLC\THANKS.txt.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png.tmp	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe

C:\Users\Admin\AppData\Local\Temp\204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe
"C:\Users\Admin\AppData\Local\Temp\204a2ec370ef7eb5d787d31758c571ec444a20a587b7fcc557c6771bc4cde208.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
94KB

MD5
ceb39ed4c32de5ac19abc989a162fb94

SHA1
eedd13d1dc675acca0f7b7f2bad3aa77a428d01d

SHA256
78c20dae1a3956f456d524124f3610f46dc89632c70c252907f8a3a52306fb55

SHA512
9f5ab4f00bc0d6560540d96a7285f5b365caf212bdf3a9464d8531016bad9278ad8141bcdb8e5986e0e16cc2662c772f011aa32a1b7f6a81f50d284881096126

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
103KB

MD5
71b7d274cc6ff96d4f55fc827df9ef0d

SHA1
23da67793b3da9025084f7abfce630ca414d2cae

SHA256
169006c440feef8bc284aa11b285d74750859c5c128b64a8ce953bb731fbb528

SHA512
065ba80437b0a2b4f506c007ab888b6edf47d935e0e5ccdf8b70638baa72cde4dca4ae213fbe10d46202f016fa4292510b5478304c212e8ecaa854b2f7399f3b

Download Submit
memory/1752-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1752-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download