3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
Size

36KB
MD5

d465741fdd1c00c9de0f593847df5803
SHA1

e10d6f4a0a3561f7dbed688a2199e0552bfeab32
SHA256

3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01
SHA512

2a47ad01c7af6fabe67db8d361eaf6499d1a6efa72f5313c6775ab974039dc1cb330dc8c2c00c102eb42ac5d5f80ba7f4250209441d4eaf678afb4bdcfc4afc8
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBApwp133EskmKsN33EskmKsKbP8/8g:CTW7JJZENTBAOIfmKJfmKs

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3790) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2120-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000900000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2120-72-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Journal\jnwmon.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\DVD Maker\sonicsptransform.ax.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Mail\wabmig.exe.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jre7\lib\flavormap.properties.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Havana.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll.tmp	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe

C:\Users\Admin\AppData\Local\Temp\3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe
"C:\Users\Admin\AppData\Local\Temp\3a3fa327cea6d8437f82598e2691dbd323ad6bf0efd4c6ae518269029c756e01.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
37KB

MD5
a65e1b99778aa37d3c00c42a55bf31dc

SHA1
7d1373243a9aeab600d08ce97d0aea59cb5dc0c4

SHA256
d5c63d4aa15a3430e11ef47c0d183a896c7023f95ae0f0f8c0c3e5725001c07f

SHA512
5dac82ae770d4a2e6f9bff87eefd61ce31bf665d85b3e51ab539d6b8b2fa68f9022cfbbf0980237de5f00fcaedbfa186d41463be7d5f7c04adc8d70d0811d063

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
edf51af62f6e515d40b307cf2ffd9af5

SHA1
46c292a279794b9bb902253b33dd62ec96f167bf

SHA256
64964609d02463eab0f4b79373375674eba3e59016f7afca9a46428b9e73741d

SHA512
093653b78ccda16881d972b87ab7d3ff8e71a072d01930ff3a58bcd016aaf70940e7e4c7523bd5d151398fa409cb8aeb3e269194d785fc6460044e265613bb22

Download Submit
memory/2120-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2120-72-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download