5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
Size

61KB
MD5

030b5817c5704e1f5c471737db210a80
SHA1

489c0e0062fc239265c328f966ce8cf320694be0
SHA256

5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3
SHA512

241bc47e37d491885b663b577f9ec13504de12ae9b6c86ac2ba17b2a3f1b35918ce5c6c614fd7b5cb0550fb3bfcf0b5914a103d37ffdd8f1ee68d97f7d41faf4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBApwp133EskmKQ:V7Zf/FAxTWoJJZENTBAOIfmKJfmKjO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1416-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00090000000122ee-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/1416-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\ConvertFromEnter.js.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jre7\bin\javafx-iio.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe

C:\Users\Admin\AppData\Local\Temp\5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe
"C:\Users\Admin\AppData\Local\Temp\5973e659ace973ba9a86d6c5e083f93a85cda64f740fe5a2cae69088e8e9deb3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
61KB

MD5
62f9079b05f73002ca4fd0992e280066

SHA1
e585e7994f8581aa897a0a5daf20180903f34798

SHA256
3c5f545c7db6902878d71ca716a6b038bb242cc53ed8d7b23596beef44a8e566

SHA512
08acb67bb07a242d65e5bb79d2f2bf4f6527e1bf91e2e9918d202d1058d8c5a2fa0a905f3654ebf64405df545ab1b33800f804ba2ee6f1cbb138184ace7d6c6e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
70KB

MD5
d0e94fd79f03b4594fa919a21b6e0bc9

SHA1
e3654fca3c489f5a0b3621addde71f3a6af7b6e4

SHA256
266cec8a50470c54460d6050365f2fb2ed9dba1c8fe76ab2c10e7799d08683c1

SHA512
df239d0620d72ff929e133179467ef61f61e30a94ee2171c3726bcb6d97a38b6baf857ef5b847556d4c0e788e24c0c86333f191b5ed880a0fa0dd4fea8dff179

Download Submit
memory/1416-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1416-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download