d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
Size

36KB
MD5

4c6ee1ed585120aff0519c3a1cd389e0
SHA1

edfbb2a1df84ae94c53ce1a3699f7e364f8c5155
SHA256

d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2
SHA512

617495f9b9771a9856180735d63a0973c055c0af101a74e8d2c26c33a8d78ac29a563178adf557634a0a39194ceccbf95e861e8c28e732b2a2d2fb6941f0ae21
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUE51lRtJicszsOVC3xDxN3Qu5p8gs3Qu5p8gG:kBT37CPKKdJJTU3U2lRtJfOsRR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3460) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012115-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/2132-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\security\javaws.policy.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CET.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\DVD Maker\sonicsptransform.ax.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\ext\jaccess.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll.tmp	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe

C:\Users\Admin\AppData\Local\Temp\d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe
"C:\Users\Admin\AppData\Local\Temp\d1c8f346f01daa23f7144ab905b55be8910104c0f27eaddf245af04449fdc0c2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
37KB

MD5
f3343e72607f13b2ea2a17ee6bc48caa

SHA1
f93053fdc70f34501447624410f2399395380288

SHA256
ba757c41cfab98c0adf3824272a74ec625554145d2531562e80612602f22f9db

SHA512
06ed202dfb62bcedce27662ecbc4b6aff2df9b579a943e39d58a28434eb199e3084a09cdf0203e9c266b13c3dee235a19c9a201d197294056afb909e7ca12034

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
e97e7ab5b4c5c82d09af8cef9911e5f4

SHA1
a08d5a40108fd61bdc4907950e187df2a93d1eff

SHA256
898c48bf5c1172845c850830eabbce3d537a84bc4399f3cd944cde0e522565a0

SHA512
8a8546d68a1a7c8391b372fda06d0d29632bfedadc25198c96ffe0bade9f20b661357be5f801826fc4b1bda5c47cbcd5d3c45838db57cc721947b517ed528853

Download Submit
memory/2132-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2132-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download