e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
Size

81KB
MD5

2415721f1d3e5f940aa1df2f51f8a372
SHA1

8f095b2aac2beb62eb23d425179f861708b8c9ca
SHA256

e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe
SHA512

32ec82f6d00b9df27e1c1e1401c71ee95d4e1a04bde13859a8c615cbcd90191dc1416c48d9b93bd37c3f991451bfb4a671bd149b1b8dace8472914c8833f5610
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9+F/MF/iBT37CPKKdJJ1j:V7Zf/FAxTWoJJ7Ty2ATW7JJ7Ty29

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012118-2.dat	upx
behavioral1/files/0x000200000001067f-6.dat	upx
behavioral1/memory/2128-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\Welcome.html.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Mail\oeimport.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\release.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe

C:\Users\Admin\AppData\Local\Temp\e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
"C:\Users\Admin\AppData\Local\Temp\e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
81KB

MD5
6bc1cbac01eaeefdce0f37c5f0886b07

SHA1
2e8e766600e40080dc05c6037cddac0252ec1af6

SHA256
df811258eb1c0bf098dcf4596f4692befd1dda2c1f136523b55feaeba60223de

SHA512
656e322030b05bbf499b4b95271816c89d7cb57b57e25a8d71d172bec55bbcd7723c80902f1febd21892606484901a54ac90b9f8307417222dfab951877d41d5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
90KB

MD5
341e2a8776d5b072ff74816a97d5a9f7

SHA1
2ea99010f50b3033e53c9be3fa0dc6fef79c79bb

SHA256
1ee3058d2370619fd3c3600d29c99eee63693fa6232686322fc5b450526539b0

SHA512
26d0ba53dfdf79208e64c0c9c63b58970c26203e2dc63f3ed7f7ad0dd8b1407df04253f5256fca1d359e2cca1d44735268bb05794c9c63911fe566b42189f5c6

Download Submit
memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2128-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download