03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
Size

29KB
MD5

60b2751e4ba719bb1895818aa65ca490
SHA1

edc132aba9d5cecc9d44ed64787721ce6689d750
SHA256

03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106
SHA512

7c59d9d12c5bca225cab7667eaa031f038a6ebfe09711fe7cc11206849e5d93e4ab9b580d81db791007bfd0af125342e63a45b07481d8af933f914ff3b80b205
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJ1Evd5BvhzaM9mSIEvd5BvhzaM9mSsxmMxm9+9enq0vg:kBT37CPKKdJJ1EXBwzEXBwdcMcI9enct

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000d0000000141df-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2364-71-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bogota.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe

C:\Users\Admin\AppData\Local\Temp\03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe
"C:\Users\Admin\AppData\Local\Temp\03288aee6954899e975e665ef194712b864bc8d8fed42c5c1400bc7f8b250106N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
29KB

MD5
d4f60988c6777e6f2d8a4f32f2f98790

SHA1
97dd2386b38d44a2fcf2d4633f1c0e6408e3af84

SHA256
73c215c08e64fc0174048339eb0cdc92eb3690da3077a54aa368877ea408e95b

SHA512
24b1815764a67e23a649747fef57c67a1bf4c6bba67e842c8e0e615cad485e9fc9cab636331e5f1dfec998180384df72f6bc432b947d97c649a1d7b9bb70ad89

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
38KB

MD5
e135f687e66d21738e388e4afc6017f7

SHA1
2b9398fe6b7cd7f29d205e2bbaa00acb5b17e64a

SHA256
d0fb5e8c6860c8b6da18dfab34d4f8121de5a9ab6fd088a6ec36d8faf0c48875

SHA512
c35705e0d8b032fa5ab6dce8a2bf25f404c0ee5b6870ea4f83017121dab96badc1e69ee40aa45694ead3985a44a65e6cb4b4012fdf7e81f23ef820e292a7b4d8

Download Submit
memory/2364-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2364-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download