e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
Size

24KB
MD5

70d56fd1d4dc1921869af0faec886c20
SHA1

77913c2048aba8001d56ca586be4a47194c4df7d
SHA256

e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab
SHA512

004c65c2956206e7e9eae7f9db98f194a6e4b962832b60549b07269e683df103ac7424f6c0f8f0100a352a2a9b9c38af60d8ca7c8c97149ad5a08d889be22c89
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9qQn:kBT37CPKKdJJ1EXBwzEXBwdcMcI9p

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/1520-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ar.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\InstallMove.tiff.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CSD.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\README.txt.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.tmp	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe

C:\Users\Admin\AppData\Local\Temp\e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe
"C:\Users\Admin\AppData\Local\Temp\e636d5e5fb6d62b7dce5bde6a6076ec000504e43ff9a577a58917efb13f389ab.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
25KB

MD5
ae7ac0fb1fcb62c4b7f88c0c21410b77

SHA1
ec558cc1dce51759827f3f2354ce4116ed1ee6b2

SHA256
f21b3a8693b4d2422346f62b63d0c1ab7b40ad1d458abed7ccc4b2d8482ed726

SHA512
6c79a379f89e54f0e1818c18cdca7f7ca74e60833b07c32abb9f3c5abf4da0a3f353b0c86ef30f7d8efa723f56ff9e699056af4906663a3df6bc7b0124c87d41

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
33KB

MD5
651e5765a05a830b5e7e2d5293a319fc

SHA1
a2f8e1b7c7cbccb7a6dd6bb033283f9f6af64c2d

SHA256
0c7679a7c7428c796f70a88079d815e2c28d29169bec4fced5a418c549818f44

SHA512
0fae14b7483024c39cc20c802cd5db2300ddd43d64d1f59935f1225e3c7cc2d335184d1b45c951c24339981dd46a599f56c91c40d9d8c08ed0ac1c314805394c

Download Submit
memory/1520-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1520-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download