896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
Size

53KB
MD5

7c02198bc23d5a6cfad5fb52c64ea272
SHA1

725a8e85ee0bdaab0aae847354e2ad7c0b1f52b0
SHA256

896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f
SHA512

36f5a8648d1e7e76e513a339795519faccc5d0cd125d476e08b9d41efb599af4c7a5a37923c6be1641c14164644cd67ad27a65aa7ea0729cb158f00eb03bc171
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJY8u:V7Zf/FAxTWoJJ7TPUr8u

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3804) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d00000001227f-2.dat	upx
behavioral1/files/0x0002000000010664-6.dat	upx
behavioral1/memory/2404-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipBand.dll.mui.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe

C:\Users\Admin\AppData\Local\Temp\896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
"C:\Users\Admin\AppData\Local\Temp\896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

Filesize
53KB

MD5
7f7681e591754a028416758f8544f3fe

SHA1
82f08f4ba58b0adf464bc07d5154166e0f7140c2

SHA256
9a6f8dfcfc5e007179ac0ffe4088d238d3d5255f418de417b07493e03d49f019

SHA512
482c17409ca1d01637f4e322f2b4bfc4a83c20290844213b7440203c8930c23725177e377c0bf8e06134773c7af1131c8e90b57f6b38b5c376b3dc75a468f028

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
62KB

MD5
f7b7b0476457e8a837e2aac71e502b42

SHA1
712b123b3c5d04f4d4a875d182ae5a8a5ac58ec4

SHA256
6268c27247b2def566c0fe7d3c70d3e082cce9ee69c034bb935bc9703a279bc8

SHA512
00a2130d884b3e8da3663b43df4d02019913dd32dced742966b3f81a0a8adc19b3d93245ac1761c35d2d1d498ad2d298cbbd24e4630e2be4d688ce590998f66d

Download Submit
memory/2404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2404-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download