26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034ae

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
Size

93KB
MD5

12e281fb20d9153c72de7bae71cf5410
SHA1

3b429b417a5c890464b02fddcf033a14d360bd34
SHA256

26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034ae
SHA512

ec6b25874210ff5fd2cc8db6024d09f070ea71438bd9358f5f17dac0f85b091a735cb354a8ac246a98fd285cae982d39d4642cabba694a6f9fc7353d09405d0b
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5F2t:fnyiQSox5F2t

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2958) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012119-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/3044-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\release.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\RequestMount.zip.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\LockSync.mp2.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe

C:\Users\Admin\AppData\Local\Temp\26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe
"C:\Users\Admin\AppData\Local\Temp\26badd1483d373332912e5b89b59b0ba3b46c209298f2913dc114851466034aeN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
93KB

MD5
f7eb6c3925430a0b5565f91fe15d1f0e

SHA1
d15cd51d9b29ef71415aea189b809cba5b7fa568

SHA256
d7930c089c72f0bbe97aa28eada10a38631625872108f4098b67549c0ef4b76e

SHA512
bdb06bfffeb40a9bc819dd4062183d173c79b52fb4793db4be79874de9072f7fd28ffff768ab1c5522d6520efdd0736b1def05a8b1d174567d66451480a1bffb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
102KB

MD5
d49d7cfaeb3e100e4129c093a8848efe

SHA1
0c354e892aa7df6187183bc696d18045ccdf257c

SHA256
fc14532d376e3892fb965513faf4beb786cb261c790d3a384c1ca1596d703148

SHA512
3184bad4ded2a2e54f7dce175fde5e10db8986544af93869deb0c5f93ab797dedbd360d79995d1bf40adb5a7ad49b8432f1c33b19c9781c1456b37ea706cb52e

Download Submit
memory/3044-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download