e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
Size

97KB
MD5

3d2ec3652d96089b017b17c4c9d838aa
SHA1

916ba6a565b60885f97412ed7ea0e21aba906873
SHA256

e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019
SHA512

2382170ef2ba1dcb331ca2810a859b9a7a615a4da523484a2bf8139fc51ea7fe8c7c33218c5093b1046ba3e83950a410fe80683b0f2b27d28d874d50f15ab765
SSDEEP

3072:fnyiQSodYeHNmkDxfIyKoIWbsHfySkT5GeCyi348oWGRPOzkjId6q8UdrSD+kCoS:KiQSodYeHNmN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3511) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000012286-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2964-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\desktop.ini.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\flavormap.properties.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages.properties.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe

C:\Users\Admin\AppData\Local\Temp\e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe
"C:\Users\Admin\AppData\Local\Temp\e50c5588c9f78c38d326a32badc38cdb92d02ee86ff9aa9ca76c8662f339a019.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
97KB

MD5
e95f855a0dfc06e6b94b19a3df899093

SHA1
42ed8f345ec1659d4211aa2c89100e129dc9320b

SHA256
9f4214e85b96f3c6f9ee192e84902028ce859d844c3e93490a179adac6578bbe

SHA512
ef22f769ee723f0b0e069af328b49b3ca6f4a006114dffdb02f4a687cb6fb1e5e30715764163579f62f3bb3a6c29fe5b83648117b3b9c603e7669670869c7b94

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
106KB

MD5
138b872ad0f195a8363b4f7b376b24bd

SHA1
d8d1d1b92808693db9c4a99e00dbe5543949b1a5

SHA256
8d03a6f116e8654c75bf6b261db5f163dfda416d4a0cd440777b9a1dafc3aee4

SHA512
24eac84f60b7791349155cff0ff7d85912fe6cd4508e6c55291157dad5d184580bfc2dca991af5a22880ae04fc2b129381e9b39d1c5e3a79924e985db74062b1

Download Submit
memory/2964-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2964-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download