6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 11:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
Size

32KB
MD5

278039667fb2d360feda99d130461670
SHA1

614b4d30437224abf77d23408cb03edd78183d66
SHA256

6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8
SHA512

4f9aa66bab168b892975e93fd3dde3298a625b8ec18b253d5b6d9e0797b5747ab3b25d3fe6af1ff977b7b7dbd92d7dc474f70cd4c200f1ea2fca9fa1401523a4
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUE51lRtJicszsOVC3xDxi:kBT37CPKKdJJTU3U2lRtJfOsRo

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3306) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0003000000011c28-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2220-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\DVD Maker\soniccolorconverter.ax.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Menominee.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.tmp	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe

C:\Users\Admin\AppData\Local\Temp\6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe
"C:\Users\Admin\AppData\Local\Temp\6bf742556cc3946b27071532e29d6e7c277898fb666e997def2f7659649512e8N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
33KB

MD5
3371b36f78d02fee838533a818abd71d

SHA1
cf1d347a0682850bf91f5d5551a7fd5808b3d036

SHA256
fa7705649e3d42bba47776f6dbb8fad676452a6cdab409f32f7d7ba95d0e58db

SHA512
92cc9c5c0f79c6b14c24e8641f52c6082ce081043ef9826fb03b72573f45b22a7f0dd56f810d70ae0b3a7f3ecbe5d8e3f60aea1cd069ce733d7291ac2f1ea02b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
42KB

MD5
572482a2c7106b5effddfae07bd19da4

SHA1
e44c0ddd5a0a55c0e5cc1bf2443fb0d339cb1a92

SHA256
1e3501c5290c0bef66fa0d6371cceffa9827fc9408c06cb84358fc757b3682e7

SHA512
bd828564135065a1c07f21f97b52a9151d3c637287af52b933fd00f65291f69030a4a953ccdb8a8a048f6205eed9f6a602ee92f38dd195dcb83639a717ed033d

Download Submit
memory/2220-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2220-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download