06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaad

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
Size

32KB
MD5

6bac3535f1004db638941af594a2af50
SHA1

f3782f2e1a8d39fd85cba1ee8922194f08e581ba
SHA256

06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaad
SHA512

51cb44ba66dbc5b9c65b95ed5411738028c19befa2034d6f4a2d09590a8a3a76dfaedceb9550794e3785459592a372a172bb6f73b8bbb76edefbb879db2429ec
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9dUZJZv:CTW7JJ7Tynv

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4115) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/1152-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\PortalConnect.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
File created	C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui.tmp	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe

C:\Users\Admin\AppData\Local\Temp\06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe
"C:\Users\Admin\AppData\Local\Temp\06288c3020041242d2820517b99d25e94ce56cd76467719ffb27dfc97a8ecaadN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
32KB

MD5
4a99886d7ccc59806da3b0d931233e02

SHA1
63ca0c65246d5b4318c7bbf69f9fbde94b568a20

SHA256
f6504320d358f6dd6c4c0601be8a698875b5dac3eec36a2de9c9082b4f665afa

SHA512
502362a0e6163393309d2ae5409ac1cb344ad1fa9c57c11b7e1f6455a82e14ea0e4246d84ef66885c8d59a590d6dae2848c3a8a932b2ca48e06005b498808dc7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
41KB

MD5
150d996135e83e3916d826f69b2214fa

SHA1
ed5f446890bd9d3e0d43d5d469968c0838b0f802

SHA256
e6885277aaebb30769b96abcb4e4c80470bdccaa4b3a1973a24a4d58b85652b9

SHA512
e4b6a26882787921fe4054715742d277c838d68f772aad665ea25f3b0ad3050fdab4e2f328f62e428e2962cedd8d700d165962004807e043bdc96b7827abe88e

Download Submit
memory/1152-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1152-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download