487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
Size

79KB
MD5

979b4c46b8dd9c33fddef27416e5c792
SHA1

ad878cfa522189c7a58f352088ceab8224fa4a80
SHA256

487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d
SHA512

19749ebc6dd5bf8f104dad9aaf7d45b3667bc296bd2c790fce9a177cab921840faac590ef50f7b1e3f0a1fc3e91ac7532227d853cd7058d0a1ad85e246508486
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9GR9BT37CPKKdJJ1EXBwY:V7Zf/FAxTWoJJ7TsTW7JJ7T6dkjkN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3599) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012116-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/2440-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Defender\MpAsDesc.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Internet Explorer\ie9props.propdesc.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Lima.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\bin\javafx-iio.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Riga.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe

C:\Users\Admin\AppData\Local\Temp\487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe
"C:\Users\Admin\AppData\Local\Temp\487b79584120c28d62b10e66985252ce30763bf137b5a63f364dd153c5eef87d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
80KB

MD5
e151e92025f9ecaa6af448e0a90783c4

SHA1
41d403629a852e9f45e6fa92590f5d2435272da5

SHA256
afb94ccd0f7b8d7b48833c0d92c4b1b4cd89b4d010449ffb632066afa606d5da

SHA512
15334f83a5c71401104df8f7a2ab48433647fb00934e34e64353bcbe4fcb1274bc7b93bb6f569af1a25c5b90e5e5eb9027cc29e8b6853b38515f430ea0fb8842

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
a6b948eeefc218d61366c4ccbba0ed80

SHA1
29e77689678461b67a419057bf8e88474145d007

SHA256
9e8b6a66638f6c0950c4ee572b4f78fbf6540794f1357925176067213fdf9c94

SHA512
3002d9b9084a8c2de6ca2b835586d1fda1b261903604c6fb7b8bc1ba9ff5a82612709cf337ae4af7bfac3fcb671737e94d1dae44788b794c93fa147db3e52cf9

Download Submit
memory/2440-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2440-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download