35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
Size

69KB
MD5

f83abf8102e2fdd69aa0348d8e740e10
SHA1

ed0c8c531af4204327a3c1dc6b055b01154bc9de
SHA256

35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48b
SHA512

493fe7302fc224f79acd7168d5e1310bf914f13ea0689930939be4da6c047669b44cb8508211797fd8a1d6fea31379ecdbdf12953a9b0815d03c257151b183a6
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9MBT37CPKKdJJ1EXBwzEQ:V7Zf/FAxTWoJJ7TUTW7JJ7TB

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3235) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2572-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000018710-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2572-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Asuncion.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\RenameStep.ogg.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.tmp	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe

C:\Users\Admin\AppData\Local\Temp\35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe
"C:\Users\Admin\AppData\Local\Temp\35f7968a6803c2af40d8cee1e44d08f46ab5ad08b71e6a0a0363da2f8455c48bN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
70KB

MD5
90c0177b07745193c9a92c9e0898419b

SHA1
049cf72eb01efaa7b41242938a70fea4b8d99f8f

SHA256
a07d04df24bff853b6034acbaada0d71cffe555283fc4a4194336bb0662c0d75

SHA512
5b92c61fd1642dcb383b6ac1e9c8150e9ae771c61b0d2103a1b1c63d93f1d6fb673a87728fb1950d63c797d7da5afa6593b1506696f9f863a5f332986bdef657

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
79KB

MD5
211439913e3f2917fd4a7b4ca3b02422

SHA1
91f34447d8eed82c2270ed3ef76c3a2f1eaf2913

SHA256
f9d6b60461f121a094f08ab92700f6589147fcb8fd6a2efff33dfbbc78357fc8

SHA512
6b0e184702a4fede842e29b405956bb2511a9c474cde834ecba507c5d3ac42ed689e2baf28d56945981496894028083892dd30ca935b87c7fcf2a9c5154ae7b9

Download Submit
memory/2572-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2572-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download