4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
Size

61KB
MD5

679f6b4c708c6c8c6180294b01f96110
SHA1

aba0a70ef94110e1e65d153c38703947fa0b8074
SHA256

4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6
SHA512

4810bd8d58e3a64fc497b09d78e9350af9b7a2b32e5390ffd0cd5e112d70237aa01fdccc557d13a5fa335d3748ca4bee46840dd812fb935c662af564385975e5
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti0kAPJPoL:V7Zf/FAxTWoJJ7TTQoQ/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3253) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2136-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe

C:\Users\Admin\AppData\Local\Temp\4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe
"C:\Users\Admin\AppData\Local\Temp\4881c11a060b335438b63763aab49cab9b5008d6e3cfb3cb9ace1a51d0f711a6N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
62KB

MD5
62fcf885b7adcb0ae6892e8c6f775c1a

SHA1
e425d9c90e480503754d42fa9cfdb65bedc94698

SHA256
af173e052f4221a5cc0ab0261dac954c1b1d6cc6b91c083e19ce909731be4f7b

SHA512
c1d8030310e99946018cb49c8ce63ed2958607291b6335df6ab66dd8aad67fa8dea0763839ca3d38dffda7871e03ba59b04faa6ef5447d5367c38a504f236d72

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
71KB

MD5
e864da589ada0fc751030e76598a5566

SHA1
617a9c1d0bac7fd07a71495580e4034d641f7193

SHA256
929e12d3d4b7407ac4aa94b753a90d7d7704af97da69440aa1010dc0b1bd0e70

SHA512
50b5e28c8979453982c61b6cfa13c67d7036fe0e3991ca51bddd9e909010ce3b4ef5579edbb1c5c2d729be82f1dbf9c54ed221b2798619253bb2180ac21b340b

Download Submit
memory/2136-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2136-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download