59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
Size

71KB
MD5

24f4a80fa95b9bdaf450162b61d129cd
SHA1

b8b29bbc4a62ef890640484dc945ca73c8bbc488
SHA256

59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd
SHA512

73633b9279512bc9282685ede43bdaf55f7d405a765f37313afc8f66ec1c446132b11e168b2535cc88e5e7ad6fdc885e4edd8a4ee56a90c7ad19aeef9726dbbc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Hx3R9pi1xOR9pi1xbJBH:V7Zf/FAxTWoJJ7Th9ko9kvJB2JB2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3508) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b00000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/388-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jre7\bin\zip.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\sbdrop.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe

C:\Users\Admin\AppData\Local\Temp\59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe
"C:\Users\Admin\AppData\Local\Temp\59ea94c96d8bf9f4c81e341dfa599ca717025250c6020a68b818126ec48a9bdd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
72KB

MD5
af942290eccb36bdbb814ddf713429db

SHA1
adf41580feb000995a67f5106b50867b6c8660a5

SHA256
ffd6001f8bfc5d6686bf7211ff734bc608618b42d90446654a73d54164e98b6d

SHA512
5ac00ca6928d5eb81558afe354b6dd6bded94c4f3c91940d23b1418f65a3c5054c807911e7f95d69e5ccb5642506c54cd6ccda75a099797b5f5ecb90e3c43263

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
80KB

MD5
c70aff5ebe926447aa0023ac17283533

SHA1
9d73f950ab0835902a9bea84e29a9b46b02777f3

SHA256
e05af65ffc076962c93a1888732e2a444e9c513ca937c352bfc4f4d87a9d7fc6

SHA512
2c39456566122122582d1ec0af58bbab33016d3bd0e702bd34b387060775d061f0d26e82437b5e7d7685d8c73ed42eab1f39cd01d5b32d408979778d0575689d

Download Submit
memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/388-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download