6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
Size

94KB
MD5

87982f67d48731009d4b94015eaba170
SHA1

19e7e7941b42ebb999f48c46a13efcb777d8c79e
SHA256

6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0
SHA512

b53793a389b2bbcb21fdeaca04b1e3a08fcbf61a87ebf78c48186fa1072d27952ae4bd0fef9acbc189e5cb42fd556add6f0aec70dd5fa7d6b94b149057a3692a
SSDEEP

1536:V7Zf/FAxTWoJJ7TTQoQfTW7JJ7TTQoQlo:fny1oRooRS

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2934) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b00000001226a-2.dat	upx
behavioral1/files/0x0002000000010541-6.dat	upx
behavioral1/memory/1868-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guyana.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\README.txt.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Amman.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST5EDT.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\bin\wsdetect.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe

C:\Users\Admin\AppData\Local\Temp\6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\6941a9a55574c5f209689028c008d4c8a49de8c9a62a4df3004582c222a8e6f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
94KB

MD5
2bef07e7917c1cd6b1e4a0adfce8e5c0

SHA1
6da7a11b2f99393a910680aad49e1b40c8fb7482

SHA256
a0bce0673f5a71aa165705d5182b1bad5dc2290a6e475e13ae42e444ab3e433a

SHA512
68262c682256f2747a6a692ce28caae678ef525f03598d0f59de9a1be79b7e2a18a45c7ae48582f26f7374a84bf70398f077d5702ac101b6e63b9c7f2a5d10b2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
103KB

MD5
ca753996890975005a9a24b1d29e4bda

SHA1
c8adec82e62c84815ee26b5c7b7ecfc980b2324f

SHA256
673c3c158832a7d4630563e3e8575886feb3d722c89c1895caa162b0819ac0c6

SHA512
1f454945de458a0be0a5c4e90b7cdf9427f30a0207748d5df865da40b38563ff5c12ce1d2edf96d355f8f36141ec81dd0a6385e9a0f1075ee8cae340b5b9a8f6

Download Submit
memory/1868-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1868-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download