0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
Size

39KB
MD5

7c1ee5ce58a2645da50ab7c917be66f0
SHA1

e3cf89fc206c2c3c49482adc4526dafbfdc0e945
SHA256

0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7
SHA512

034b10ca8f8f69e54579aa9f6a66b1cdcf43999f534b41f4cda7bf8d6defb2f78e3c33b1edf2d720afeae2e2e3d67f00334f0c756f801ac05edc2a44ee9f9bae
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9DrcwwEHUOwwEHULCpp:CTW7JJ7TVrU6ap

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3851) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00090000000120f9-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2384-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ADO210.CHM.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe

C:\Users\Admin\AppData\Local\Temp\0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe
"C:\Users\Admin\AppData\Local\Temp\0967881fed3925aac923ad17dd1d0fa05acc718c067178f998c3375344992aa7N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
39KB

MD5
67a3206123c6e91668a8f28035215fa4

SHA1
7998d076c7c5ea62fc7f06d8a86bc5c2a1fe20ed

SHA256
543ca2c52222306e65dde5eb1f40cc8c57bdc0810eca023cf8b924538774b440

SHA512
4ded151862ae59f7d6c3908010b63fb5c87fcf38884684d2982b17304b72685f5b4d2e65aa1114323e5869c7b6387fed3d6f9ad2722e4e7097b3c69a0ec9e329

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
4cb22ed3b0f77a2850b2db4794d117ca

SHA1
cc15a74e494eb7bcf790b8cb9c8d46e2ca8f6060

SHA256
d73b0b6b300e8b044b39e2bcb7900be3aa39a7a807c7e682e7149eae96a37711

SHA512
7c50f491f10a1e4e6aba0807ad1185d9b554b8bbf0183d266ad19740d8597741494cfb6fc6e95955a0790d7c13f8940fa0bd9a3642cbb7d1212b6d0f5e202e37

Download Submit
memory/2384-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2384-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download