0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
Size

32KB
MD5

cb21ef866d1ec181bfea4d0a37105a20
SHA1

c9d5d9fa9a007bbfe29ad793faf37db5af1401a5
SHA256

0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2
SHA512

99e333a0e32537b7ad63f34c69c97b6f468c6d21907c10bc8a160c1b3fcf173571075b154354d1a27d5555db9498dd75b7d1fa93f0ef9e5af36468b96b5759e6
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI97LjLNLjLqOdfP6ttk:CTW7JJ7T1vJv2OhP6ttk

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3334) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00090000000120f6-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2824-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Internet Explorer\F12.dll.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar.tmp	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe

C:\Users\Admin\AppData\Local\Temp\0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe
"C:\Users\Admin\AppData\Local\Temp\0f517709a2107cb13bb7c29dcb8413562e27312b035904c4ad81e43620ef39f2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
32KB

MD5
feabfbf95464f5ca2245e4af094b439e

SHA1
53274e436bb9871ff43cdeaf62f3f84751a4c1fc

SHA256
b8229f8ef230e7167b3314157d4bb5094428849e9456b78a2f315f44df24819b

SHA512
39c6ae0988e14ddbaf4e52dc73e7c3b94244bdf865122e107a7c7aea2be59c582ca16c3ec25571c001365aa708ede643e5bf37ec898c3bdab2cd5202c5106709

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
41KB

MD5
59dce102503109e9a66e06a598dd8f80

SHA1
28840aa554d0c239c2c754b98e8e47655b21c1a6

SHA256
8e783f69b237c052e0087ff929afe653c7df94e072a3b16277fed45981dde589

SHA512
c25d98dbff2307e0a46fcc859a286e5c579df3e4eea3ed79c705c19277abfee7e9bebbab38084ca1212031b200850d979c4b715683b7cd9fc4f474e84c19ee00

Download Submit
memory/2824-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2824-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download