4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
Size

49KB
MD5

759939055cbb45e422cdc30fff666980
SHA1

524dde338058db9a6f0079e2b81a0d71b56e88a8
SHA256

4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648
SHA512

e334f9b28838146379a37cdd4f1c8966615f8256a531ab8409b626cbb14bdb6052639b1aed2f9943e43b240ac34b0ab868c162e06d57d16f204c0f96e3f72cf5
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeinMds:CTWUnMdyGdy4AnAJYq8YqiXQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3394) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001227e-2.dat	upx
behavioral1/files/0x0002000000010664-6.dat	upx
behavioral1/memory/2936-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe

C:\Users\Admin\AppData\Local\Temp\4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe
"C:\Users\Admin\AppData\Local\Temp\4e50b77d29c2599e210879ba49eb34ff9528d8630e5b9954b4f46f97c7fb0648N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

Filesize
49KB

MD5
14a8bc94d1eb287de643275db2e676c1

SHA1
0d740482856d93b64fde5dc11e5604a63dc43ada

SHA256
b6991584af21ef5743e09844d30815ee5afc1c76a5de0fb5e6e7ab4326fcad76

SHA512
6c7f1ec4d66c8afba0c29cc9a1a3daad4ec7b55bb3591201a2027c48063a4ef8716d9500634180730c0b0fcd4f37c0c8a592e7e897a3c971b01814b89dc71dcf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
3cc3d26cf41ca52b7b848b3f6c94a769

SHA1
f7acc022c9751337a05c3521d7743185c76c1ada

SHA256
430c12d1772e3c35105f9fcf70ade20d12c16a0d89df26ba7047eb3dd7c2f383

SHA512
ecef521b2a19b65faac371f285f8b8dae9254bec55458b0decd8bd6b2d9f75afb4c1e629db8bb7b28d8efe5ea14a16dee8dae21cfba8f4851e2d842469a6c27d

Download Submit
memory/2936-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2936-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download