aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 18:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
Size

55KB
MD5

6207fa0735bed012084cfefaa57b0830
SHA1

d5ce57cd3839d530e57e1021e0dd430776e2826b
SHA256

aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7
SHA512

a8ee3efab7a2e294dd9dfeae74016757a987d7e8dbeebc592d8a04d2b6db0a2c7234a31aad5e444687699eabfd9034e4ec9bd15edf3661eac7a47cd7c71dfc83
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIz:CTWn1++PJHJXA/OsIZfzc3/Q8IZTrQ6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000700000001211a-2.dat	upx
behavioral1/files/0x0002000000010541-6.dat	upx
behavioral1/memory/2316-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\bin\jfr.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.tmp	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe

C:\Users\Admin\AppData\Local\Temp\aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe
"C:\Users\Admin\AppData\Local\Temp\aa38459f00c186028773c38c93eb2251ba19a5b601845d36ce93a904f30b01c7N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
55KB

MD5
6d6f150751c565e749fcafecf0a030b9

SHA1
364575e24c0853ca1c81d26bea26078aa083f971

SHA256
af5c4fc38962bfa54694fbc03ae20bda68531c0e09e1aff394c8cb5c12c6130d

SHA512
fba61cf1d5a2a9c36d3fd636110e79e7ffb26fd3484581b2021103b8ce86d33d8ef147ae0a01f55b28c84699063c3d387e05bbd6808387969d96e739208bddf3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
64KB

MD5
77f224210053fbde684cfdd25da5b29d

SHA1
76384fdd803436d843bd55bb85901903ad647a0c

SHA256
d4ffbb59b75183c7fc5275003d931a3caf177644d4a1561a3e139b4e569af457

SHA512
dfd73eed718f78a5757d28ae339b75e6fa1e7b31149612e1cd9b8f48d166c3c1b6a87aab6caef2daa9ae7b884694723e31882d87656facea01373e87551fae03

Download Submit
memory/2316-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2316-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download