b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
Size

85KB
MD5

dd9fba896eae7e9389c1d67e6e04be4e
SHA1

fc277e744cb4ac2013a9406576a4a3a0c94b7ffb
SHA256

b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7
SHA512

9f1922c395b7a5d54b6ac2d5d332db9579f89e98077ff19ae87d45acef9d46514691af3fd89b7867031073397ca58693325d6215db0604e997fad6c6f2731842
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5eYAWcG:fnyiQSox5Z

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/2348-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Internet Explorer\ieproxy.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\accessibility.properties.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe

C:\Users\Admin\AppData\Local\Temp\b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe
"C:\Users\Admin\AppData\Local\Temp\b1b57b2c7cd12798849ddc8b8d0292de9b67c5f29a6cd82ece9bc57046c04ba7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
86KB

MD5
c2f97c2f3dbc69ab397a8f1602ff9d7d

SHA1
48729568d18244fac1fdf1c404ef95890761ecfd

SHA256
b16628a3ba91f72239ff7a8e09456979369694f4c1039170b2a2999be4d56c69

SHA512
4cb1355e8869036649cbcf3aa8dfb36d080610a7a014e77e8525e5c918ddd9f2a845caba2e7bad84e81f8a6329d6babc9bdb818a911ce60226812b8ef6fdc109

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
95KB

MD5
55da089ce8e56fe12e7a7b37f2ef219c

SHA1
da03c024fe78c7a6dcc21742b2c50bb0fb428f5a

SHA256
31685c4299053107d992505fcca815bbc790058ecc5178f31c1976c02b057b90

SHA512
193fae3cfcebc4129029a10926a5369d0ad2b7046185cf4c18522b778cc1a2f90430cae7bd2686004ad1d6c273a99c7075d6c07ccde230631f843bbfe952df07

Download Submit
memory/2348-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2348-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download