bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afa

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
Size

39KB
MD5

bfbac203a702ff4fd60ebeb0b42eecb0
SHA1

2b2b85fbacf6df0cd88fcbcd0c652862cdadc74d
SHA256

bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afa
SHA512

b855595e30bbce86a8f65eea51e505edd886292c999a0aa2d08f5412e3f5dc78ca3b1ef4b64dd5522cce75c5640c36792f4bc925445489f882c77766cace704d
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcI9Hx3R9pi1xOR9pi1xY:CTW7JJ7Th9ko9kU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3428) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1392-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/1392-75-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\DisableComplete.xltx.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\deploy.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Mozilla Firefox\install.log.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe

C:\Users\Admin\AppData\Local\Temp\bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe
"C:\Users\Admin\AppData\Local\Temp\bfb56a5d2d33b258c687908d1afc24a015b3e1e3a192543ab86876fbcc352afaN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
40KB

MD5
999570f4efeff1b0e0c771786cb27bc3

SHA1
1817309f50fc3437576c4381d56a86221a82c898

SHA256
a6ec71d457373b0364722f99cbee90ffd8f40cecf15ba4c1a66bbda333564def

SHA512
9911363c72c0f99e459cc5544a9bbb6afb8cc1986c1a6d5361ecbed7b5be6bd9a0562819c07f6a5a07f4c16acd8e6a4b95cd9f2b357affcd44f49484e87740ba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
8fcb41e2537ff35b66a8fbb4234467b0

SHA1
ad61ca253507b543f5848d174689a35fcd4940e5

SHA256
b8c686e601df52c1095ff3b8c7e45678f6fa70ccdde3b59a6c94ef4c131fc694

SHA512
f8cccbdb27dcb6cc93c6fa0e24e1c77a35e31a4876a0d90a7446a32ee191acbcb38ccfc188b77e2676e7692aa6ddab1dcbe789a85adb4dcfc0bd93e1f185a480

Download Submit
memory/1392-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download