06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 03:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
Size

61KB
MD5

ce7356ca32b462082067b74c220102f0
SHA1

a62a4dbd4343b4c76aed07c510d3a586566cd94b
SHA256

06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28
SHA512

d97bb779ad69a5a148baf386e51753b8afd7e63b8e92b5bb9b814d326dcb42338128ef6e9eb2986311fb92dfb354bedef52e1c32a50e83c527aa4f9de95e0d20
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Hx3R9pi1xOR9pi1xNXVA:V7Zf/FAxTWoJJ7Th9ko9khFw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/632-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000012254-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/632-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\bin\libxml2.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Mozilla Firefox\application.ini.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\PST8PDT.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.tmp	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe

C:\Users\Admin\AppData\Local\Temp\06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe
"C:\Users\Admin\AppData\Local\Temp\06f7892ea6bea5be615ed9454f5beadff6526648486615117c4a0b7377f56c28N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
61KB

MD5
05cb4ab19ef6ffbe7972990acf5e5351

SHA1
d774fd404b28dc524e40da75427bf46799e832d3

SHA256
2a7ccc3388d08cbd36f5aae8e3e1eb69e608db801523cf8e5f45771956e68455

SHA512
d66f642f6783132d71a910e4eade253162a483ed4984800b3decaa12d75d535bb652472cd9588b34cab41addf97b5054ea250cfacd3962aa3a84556c700d5f29

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
70KB

MD5
91600f2daece230c2ea45247031c4735

SHA1
fb1a7a82aacca7676a0d2aa573eea5750a6d5368

SHA256
60eb12791bc14b736bd81c8b0e1940933a6312fc0dc3be9e94c9f33c4a843dcc

SHA512
c923b714b18efbd9c087b9bcd34b4a9e53e1cc7a51157afe2239e3dc75fab9b8e135438b0303936ad94bd7b7824fc6c380b08ffa9782172fd6dc8b671e58de3c

Download Submit
memory/632-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/632-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download