9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
Size

25KB
MD5

5b73fa96512db9a9953af6551a8bbff0
SHA1

a74f2c7f5ac968082b5fa2b7b2cd33be7d978bca
SHA256

9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7
SHA512

f3dd7f0f5e8cd0b703343ac1bea04ed91919100f1badde4d4103a43e4bd140275e664af841709fd2f453f29f944d85ab0c36024191b0c13a4e9c52be521bcafe
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9AiOiA+c+N:CTW7JJ7T9

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4109) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b000000012281-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2256-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Internet Explorer\ieproxy.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.ELM.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\ChkrRes.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.ELM.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\PST8PDT.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\PREVIEW.GIF.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
File created	C:\Program Files\UnpublishUse.WTV.tmp	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe

C:\Users\Admin\AppData\Local\Temp\9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe
"C:\Users\Admin\AppData\Local\Temp\9c6ce897f3d3c9d0e1f6774022cda249474489734d7609335d178f510aa687c7N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
25KB

MD5
844cda724e4fe57a9217c404229fb884

SHA1
f4265407ad8bdd3bc654813cd2101f68b9804e82

SHA256
e0d7bf3077e281dea80e0839a4cb62b7ad88c5a68cfdf783fc32d130ff23cd77

SHA512
0932446f64a2a00476f48bcc016690d4d251f7e2416dd52e0171413694ead1a95972b6f0670f6e4096b1b886640aa3e246722e16c4d66953d9c9a5056e4e552e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
34KB

MD5
fe723e45855bc6c8b086553550c61e32

SHA1
d85308da216a47bae3f716d8d1a5d9b73eb0dbd3

SHA256
df307bb290d9dde326238389a3534f55595555e878a6da786c51d78a6eb10cc0

SHA512
1ea68873bba832720d9b0aa7d543328c11cf8b9b2492a12c592aefd78416fe35cd0da39632fe60393f7e1c2eeac79485d56e4faca0dbd79491d536561173c309

Download Submit
memory/2256-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2256-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download