17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
Size

72KB
MD5

084fe60e4edf47114b9178cb26a9b5f0
SHA1

9f82e2551ed00812e1b1f8b054e228c50d90b602
SHA256

17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6
SHA512

f77b286e4eedba15f99d0acfbd75ec7a4a5b72b869f3acd4e89246dba1a45d08baabbd8cbfbca06d2cec41eec2f698dd10c6200b5054a3c399114758d9c95e41
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI982AZJE2AZJ/eBT37CPKB:V7Zf/FAxTWoJJ7T0TW7JJ7TC

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3543) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000700000001211b-2.dat	upx
behavioral1/files/0x00020000000104da-6.dat	upx
behavioral1/memory/2416-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\lib\psfont.properties.ja.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\St_Johns.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Araguaina.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\sonicsptransform.ax.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe

C:\Users\Admin\AppData\Local\Temp\17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe
"C:\Users\Admin\AppData\Local\Temp\17eee4e5ea5532cff32f4f3c20c47d02bc0a090e991b8a0a433e0df97aacf1c6N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
72KB

MD5
6ff7c125fba28f941b02c31898c0d00c

SHA1
9655dc3e9b3a69219958b8316efccca53df84ed9

SHA256
aa96444e519f79a262a0e6e4d74eccfb6d0ee19984003614a9e17068c9c83256

SHA512
deccccc475fbe100c76e5b3591e278e9a30d0b5a6a3543ae28f8dbd9650f0145ee257fe2cd05fb8796dadfe6191fb635a624138cdafa7b22073ebdc65b8389db

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
81KB

MD5
eda78cf17375b9386488e5f98a7a85cb

SHA1
8b2e6539c778e841b359e3a75975cba3cdf13dfd

SHA256
a2f70367ea724371610915fe6bd8160ac3911f913bd2428af9a17f5eb9cc7a35

SHA512
916a5bf0e6421c515688a698fa7270e8ae31330854db82a517f3237509acc38b0b8f6e18dcd9a9c964fcdb6472b23bb3b5880c63df29ce3419176913e3819491

Download Submit
memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2416-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download