5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
Size

74KB
MD5

da3b7f3f439f36578360935307fce1f0
SHA1

779d4807088ae72fc6330da816d2d1c40b809959
SHA256

5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46
SHA512

987162b59ef3f080543fdf4438a2598f5611d65d96e0c78c4f89e7e895daaf2d5aa1b13c27d43fb885401460b341914e1db26f77246baafd5aad7b1b2ee65bae
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0mdF:V7Zf/FAxTWoJJZENTNyl2Sm0mgI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b00000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2860-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe

C:\Users\Admin\AppData\Local\Temp\5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe
"C:\Users\Admin\AppData\Local\Temp\5d8ff79bb4b4635f6d86a4f915fa691d28a54d7188cd0a928da96c4bd152bc46N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
75KB

MD5
1ae3241c288da842cb60380d561301d8

SHA1
c14a045e50767fd0f1cb04475415ad086e0c7bae

SHA256
1b9213d91a959456b58347398333a3da41aba2724e69d518d7f29e8469263860

SHA512
0391927b167248d47f30bc6b54ba20f00927678cc76e669153eda68a62a3edbc8765f9a638a917016bf7f1f01948504964290e0d108c24d6dd143f76b44cf217

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
84KB

MD5
75a3af64329239242511d3d0644bb86b

SHA1
bb519d5c96301f12e74fbfb7d461dea68a0e1c8c

SHA256
4d70642e65f2ffc2fb19f6a0f9ced8b952c6d82448454244412995cb9049d81d

SHA512
25f0d68b122557aa159b37ab70da9fc2d89144b899daf086bfc23c3a91f0b0d12f44ef3162024a57f13a1647b2fdc744eced3553920e4d570df9781b54295658

Download Submit
memory/2860-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2860-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download