059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbac

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
Size

24KB
MD5

d03c22fdfd96f6d8938435fda8741c20
SHA1

604389f321a20282ec6396ac100bc4bca3dd0db9
SHA256

059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbac
SHA512

ff6fdf3b39154d37ead82e8800f849048a6be017eb8401791af8ff7147fb5c9728f17f8c9e5105e97675f9e7583daa96cec3b726433f2afd1996cf33a0065326
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9AiOix:CTW7JJ7TF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (517) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c000000016d32-2.dat	upx
behavioral1/files/0x0002000000010480-6.dat	upx
behavioral1/memory/1620-26-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\ClearSearch.html.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\ExportSwitch.rle.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\PipeTran.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe

C:\Users\Admin\AppData\Local\Temp\059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe
"C:\Users\Admin\AppData\Local\Temp\059ebd4f33dd987470c430d937dcf100b01cb15874b2a08683d3f6e0fb75fbacN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
24KB

MD5
e280957c180dfadb38abc3654c58299d

SHA1
82e0ef1a6cfe8f5e745f28abab31a97261f2a88c

SHA256
4e32c875b757b23071638e7174edbbac1832f23b2639ab82ccd920ef15a1fe27

SHA512
51fff03a8e2721435f5adb8c7454f1379340eafbf611f048c1ad58ffb23f4e4b14d5c14db2c7b77c9a1687a55c0707d2a1a57b1742d1025628d8583566a884cc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
33KB

MD5
a50d245e05598fac33f5ccd566247c1c

SHA1
791cc1e0db40b5583509bd46bbdf50431696707a

SHA256
71f3d9c9b528c387d265de0f022fb4eb188b6e6fc6b790a50c6637f013a129d7

SHA512
cec52994b4c6195246e3929418b44611a7e7637a60e0d5a159eaea53d3e1111103f3fe0778bf3e479a6050e81d2123bcc3d0dc2f22ead93f305ab04bb9cd972a

Download Submit
memory/1620-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1620-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download