0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4eb

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
Size

102KB
MD5

53511842d8bb820f2bf7d37d34bdffa0
SHA1

8827ed1ded14ae163ba77f858c69b042697e2022
SHA256

0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4eb
SHA512

ed55b84ad5295fb5c4da3791f257ec34d2c5a430c6c8496684ac4518538adc660cb11e8194121d83fa007f531f5acbb989e389784d4cb342bd17ac589537b0c7
SSDEEP

3072:fnyiQSodYeHNmkDxfIyKoIWbsHfySkT5GeCyi348oWGRPOzkjId6q8UdrSD+kCoO:KiQSodYeHNmN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3552) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1032-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012118-2.dat	upx
behavioral1/files/0x000200000001067f-6.dat	upx
behavioral1/memory/1032-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jre7\bin\gstreamer-lite.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.tmp	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe

C:\Users\Admin\AppData\Local\Temp\0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe
"C:\Users\Admin\AppData\Local\Temp\0319ebcde2f96c8ed55c9ab3919c1f032d9c6a8d55df84a2ada61d99f103b4ebN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
103KB

MD5
cb68ac56d6eb9ae9bcaac627bea1f190

SHA1
832db1ea2daefa74c79e8e23444eda2c25e98776

SHA256
f0474f671b1b6e103768edc0798e9105d718c7f626f401b2c6de593ba4762067

SHA512
4bbaf2dbccd62cb73bf5885d70a39fae0fb456384a75b9bcd6ee77ef7c85c158a91ce0b0b02ea3db8089dfcf1d0d247c16ace785553f822e7d32e7391e5f4f0c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
112KB

MD5
13e6518970c70ba5c961f90bca5dabc6

SHA1
9034debdf48b8be1758509c1acf09055627542da

SHA256
89fb54df86f4be73915280e27fe5730c20f63e755fa9df462397701cabdc1f9b

SHA512
73210e02a33be359de5d07aafcceb0944f3c5f6470ddb042e568a7e31b721a40f05cb62860c1b7d833f91862f2c54db67093c9acac06b02ee5cd891357f2d22b

Download Submit
memory/1032-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1032-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download