43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404e

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
Size

24KB
MD5

1fd6fae17c7f1329a1eb16e0ec094540
SHA1

690aa735f033d227bef667e9c229bb96620874b8
SHA256

43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404e
SHA512

f7c7e0babbc7cbb8d65d23fc30b4b462cc687842b71f99fde9b4fc9761fed9bf8086faa2da2f1cb0a02ca06e97be28053005da92018b94b121df9d2c73574136
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9DC:kBT37CPKKdJJ1EXBwzEXBwdcMcI9G

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3350) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a000000012255-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2596-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\Documentation.url.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe

C:\Users\Admin\AppData\Local\Temp\43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe
"C:\Users\Admin\AppData\Local\Temp\43633f6647a2bd9ea5d2174e91b49e5c3d1b6b4472ef6f57eee118403b24404eN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
24KB

MD5
d891fd7853449628518703b3b714cbf1

SHA1
54092fac402520e9ffeddf8ec5aa5cbe091546a6

SHA256
8d755d73845a8049eb1bce78e427c71c556cef3b4da1744537aafd523ce3ee8d

SHA512
f601f9f613839c4376abacc284a232e9660fb6638bf759bf544d9f6fc7e14e9e262e0b1908938323a90c148276820a7125a126e4d4311e18a5638814b7dc2613

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
33KB

MD5
c112d4a923658e08cff58b704dfeba7e

SHA1
88b9be552b4f8d7f297cd4ce02d9ab7ec2ab0835

SHA256
8a3f564368e87db2292704d2876ff047703b3bd358a77d4ee675c8c9473b91ff

SHA512
fcd86dbb08adaf9e3761a0ab99f7c1d63d587c4efc9b18638df845082c4d65b9b11d82c1b855ff0c2e2528ec15fb6797cb49091bf6803541a0669f4bde8a5bf1

Download Submit
memory/2596-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download