dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
Size

117KB
MD5

84fcbdd253da4c3111cd9267e3191512
SHA1

23861fd8c017a5275b52489878b50d95f35ead71
SHA256

dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b
SHA512

2b0b2387471a3275312ecdae36dc7f531b1ba4417781a86124d0b532e050b64fa73b246e842dd5d3b42518e00763ee7df8fb2126a3b4bb35dd20cbe477331c67
SSDEEP

1536:V7Zf/FAxTWoJJ7TkGdAK1I0/yrOFrGqGIkbd8EfRJY0g+FLRnBAYuApg4VnspieK:fny1f+d

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000012119-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/1852-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\PurblePlace.exe.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\lib\meta-index.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe

C:\Users\Admin\AppData\Local\Temp\dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe
"C:\Users\Admin\AppData\Local\Temp\dcc76d1cecc569f397aa9f0152cc0e780fc5d1be56537326b5ebaa643a69bb6b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
117KB

MD5
5f412a2fa3787f96e5be8f3aadbefa61

SHA1
5ae74fcdc596e20328cb96dbd5ab58ff41ba97e1

SHA256
f94fbc9d7db320a9d2222b1dfb0003a037207de9fe1cfeeb7655726b26533e81

SHA512
59af8baf69776ddc8d1653cd1db171f14d7040f8fe8c2b6fd485d61e43aa1ba53801142c80e71e6f485da63cbc95cc8c795a9d35991fd5ec90569529fd8554d0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
126KB

MD5
49e9d1d30f7fb6713cecf3eebf90bcf4

SHA1
8e5b763d8ff7b5aa10f8a5f107ba375958c7e3cd

SHA256
44935dac0d1211e057b6c62984cdda48e9440d831f2758738f8bd35eae504977

SHA512
25558d306dc11bd7cd711687d66027cc38f64ea403fc0ee2d57f0d33830797cbe3c98590602e0d529fd951cddcc8b9dd4e582606cdd29399d665fb6d57444f3d

Download Submit
memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1852-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download