3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
Size

61KB
MD5

87337807eab6f759ef4441f2774c04e0
SHA1

b48daba0525d67c123f8f294bc9238a4f9998240
SHA256

3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381
SHA512

76f5dd8d294643aa9a393774f803d2b063aab11f5acd0effcbf8540c8e4064bfc30f9c091cdd1b85bb6ef950558080405bc80ed50826356d69816d929caf3fc3
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/6m0m+Q:V7Zf/FAxTWoJJZENTNyl2Sm0mKg

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3266) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1984-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000012281-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/1984-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\jce.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\bin\javafx-iio.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\security\java.policy.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.tmp	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe

C:\Users\Admin\AppData\Local\Temp\3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe
"C:\Users\Admin\AppData\Local\Temp\3f0adef3fb28c8a7f6d36c708545f05501c93b866279b8e52ff6afd886bd9381N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
62KB

MD5
289eaac60cabdcf55b7094a1efaf0149

SHA1
0b300333a57e448e22515973d89ad25311c951da

SHA256
460cf6fd34d4bd76e6acf13317d4ab7fa070ce8c4f0c030e6401410db0f9975a

SHA512
a9f53af29ad3dd962ad6263bf4ca1329123a0f22334e2d6c9940f7caa2cfe38f4dc4bfb4ce2b4ca049cfc54031b164077590a45cf75fb06983d012488172287a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
70KB

MD5
f02a52f7f40b5096d0f974ea2704c888

SHA1
cba278d4d5607d2954d7506152b0b8c1fcc002fe

SHA256
3e4ed6641f4b95d851aa7f30a0d290df3ae18b782f056c1d639d4e642ee81ada

SHA512
01c4ba6b077fafcb28f6eb16147f6d9a4ce0cc4cd5a8844a98f3bed82c528d32355aa7fa9107c06574d38309e576d3c020fa7d78d059934a8a9326749e84031d

Download Submit
memory/1984-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1984-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download