2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
Size

72KB
MD5

64104d08e9dc525532b358d96b879150
SHA1

2bb1f00b68d42d403a98e3d79014f22feede70a7
SHA256

2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86
SHA512

881ef5c5ce41f7c4a3cf51939cbc6de4cbb71aad6be2f012b31af57d5045cf647cd665ea67ca3a6dcfe0014eb9eee3168fdb0cba783f20468b016b5d10575013
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGVOv:KQSohsUsUKw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b0000000122cf-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2372-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\bin\jpeg.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe

C:\Users\Admin\AppData\Local\Temp\2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe
"C:\Users\Admin\AppData\Local\Temp\2498d981126fe875c2d39cf238f5c90508e43f5a8f473f7e7896abe5f7dfdf86N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
72KB

MD5
a9f534e45fe27369420d54005e00b052

SHA1
66bb63adcfb8c074b25b1181584c537ca9f16baf

SHA256
585fa8c86b25dfe7b68ef1a3f8f5583f5ef14949d6c7084faa96307d615fccdc

SHA512
bd3f0820b73342e117488096408fed24ab4ac30da01029135df1d4840bad91269e87a57836caaabfff92942716b697e3940a9fa534c74887741e4ea13110cc41

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
81KB

MD5
3d32f9ff19d20bc572449b36d91afe95

SHA1
7d486b4d461671eb378f8615192256e45f6dcb6d

SHA256
57c94b1e7e6685b223d1dadd37373af59c733151506fce2fed3a3be07525c766

SHA512
53a6b8e4f1eaa156a21fae513ed9006c74199a05d1636ec3662e4a7d51e3c24ff31e39d103a514614e58e8ae82bea980391bb3aaafc8d20bc12d061a44c2dc0a

Download Submit
memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2372-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download