122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
Size

32KB
MD5

51111aaf3514c52e79c909a1e9043100
SHA1

b0d46e9157b1c45b1f8e34c7d0d7fa10081faf4c
SHA256

122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659
SHA512

65ae414b9d035b2e9650e1dd8908c76c0372f6f9f29e3138885cb889bff049cf1d3d58ff23756d3bfa3752a8c999db3c374110007362774c8439a21d9b18a462
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeV:CTWb

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3790) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012286-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2884-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.tmp	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe

C:\Users\Admin\AppData\Local\Temp\122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe
"C:\Users\Admin\AppData\Local\Temp\122bf1e1bd6d0a595c937bf1e664dab810693203a6dd7ed451d065938644d659N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
33KB

MD5
edee28802616e0efa3a0a85dfd215434

SHA1
ec118ca9e43e3ce7f2ccf9e8975ff950c65e42ac

SHA256
20a7ce474f3ae0e638bda23fdde679a43e712963a9a365381c3c8b38a2fb4a9d

SHA512
6768c474068782b88b8994d146739018c4c5f2898afa695da3abd0aa418d54d722fd43ccbaf699673a032a569100c331112593c4d08805f92ddd45933281731e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
42KB

MD5
15c991d9838f2f4bdbf8d86634abfd7e

SHA1
52887a8af02bd581010a82962c6fea43b0a6fade

SHA256
6fdfe25103582a6587b9ddf0640fdeacedd274c3c278b4425d22adc4e968f75d

SHA512
b34fba2c1f87869f0de06b6eea705a023a968d0f23c59792dd3a890f588f42f6040f99eefe7832cfe909e745b20905aba2c4501d067581de843c328e571c5180

Download Submit
memory/2884-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2884-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download