b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ff

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
Size

38KB
MD5

69f26e9d99efde4af0872226dc7481a0
SHA1

2dac8a49cbc2d1972f3c6e181739d304fcfd1e70
SHA256

b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ff
SHA512

65aa1366392b2d7bcbddaaa9649581aa65ba18c4960b1e103e18af3b272b81b9a2746d75803b31564585ea6bd737cb8d10d719aba426df8ecb6d6559395f4fde
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c54w/JYWJYZ:CTW7JJZENTBWv361JYWJYZ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a0000000120d6-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2708-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\bin\java_crw_demo.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Mozilla Firefox\installation_telemetry.json.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\MeasureWatch.rtf.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.tmp	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe

C:\Users\Admin\AppData\Local\Temp\b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe
"C:\Users\Admin\AppData\Local\Temp\b05fe0f2dd97e5f9a905aea6d418b2ca5e8800cea2435f70e69e4eb8006369ffN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
38KB

MD5
525d0c4eb8ea0274246e70633b5c627d

SHA1
3581f10ac7e9942d6210446f88e295b778e962b3

SHA256
def4865ad3fee419dc0e30a4aab60ef6fe48163a3a7869e5c55ee4ca9ae7cdbe

SHA512
2f54d03a5847a8a4f523c8fca4f4673ca5860fadaf317e61366abce29046d3c988b6659d97a665be302f9b297dfc6dac1d601bdf4a30f8c9ff751a905750e88c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
8d2bc46c038627dd25a48c26d0a7abf3

SHA1
eb31a26a039c12938e1861d6d224e76c465c49b4

SHA256
6a08bb829b06bcdacc551e265d75a7093760bda1a95dd3688574e5ab826023fb

SHA512
7cb68ef96d89cb2f09b103a5d855da219c1c82e96c9934c98d6fb5994e2bc31f97edfe56a4935238714bb43caaee0e892e5759a7156ea221a60c2e847a5b5553

Download Submit
memory/2708-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download