4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
Size

52KB
MD5

0e5167b8f4e92469fd83c6e30c6b4c37
SHA1

605f3771eddae8e59d0dcbe853386f68b59707c9
SHA256

4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a
SHA512

000800c3ec3e3d33b0514521b866e793755571721a101781ec2de6e968354fa07a190fb2e3bcc5c2c17a43e30fc60baf99917dec84dd524c9775a40878cb4c31
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9p:V7Zf/FAxTWoJJ7Tz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3751) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a0000000120d6-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2648-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\PipeTran.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe

C:\Users\Admin\AppData\Local\Temp\4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe
"C:\Users\Admin\AppData\Local\Temp\4e33ae49c622b74926f22455de745381f5bff13d9560308d7d53c5ef3b86c78a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
52KB

MD5
cfc17f79f0794885fb9d1aa600e210f8

SHA1
24273ad210be63f49ef3635419beaac889b80692

SHA256
21c018139467aaeb2d3231fad114f98bae6f8b35db445d9e02c2cd71313a4267

SHA512
b95f6a4b43926d42ba73d1e7453c296877c040b426ed82a04869959827997a8d5c43345a89db200873e7206cd7fe8f7e4673231284291a11d66610f274d95143

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
ec65835a7ba4df0e32c707945d15c649

SHA1
c17d7a8cb98749c4f628f7c62673dd16f3f286b5

SHA256
d81b7207ddf85d695428ec80176fe4fdd171ef7c6f9a0b55332ecdd8a4298341

SHA512
495d1c355977aae4d7fde5430ff2f143ab4395866f47aa5b7ac767c96294a729ce36085246f8e6a2d8f00c6ceabc67c402a21f9fa411ec286d3396d812fcad60

Download Submit
memory/2648-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2648-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download