367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
Size

115KB
MD5

7745671250bce0a2eab978b0b1f0a212
SHA1

b9455d11c8f1a5c22eae4ff944cf93bb548a96c0
SHA256

367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f
SHA512

64544d1d9de8f57888cbc823fa55f77ff3de44e3648f4192044a237a0aa758693bc24d321badcc34c77d252814434fe1db1fbd241152343a5b80b64b8b01ecd0
SSDEEP

3072:ht9iMGfUSaOy9SnJUwFU+FUhFUeFUXFUqyqKRrpF6Pwb:n9iMGsSaOyik

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/files/0x0002000000010674-6.dat	upx
behavioral1/memory/2112-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\bin\dcpr.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Portable Devices\sqmapi.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Media Player\es-ES\WMPSideShowGadget.exe.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cayenne.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jre7\lib\zi\HST.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe

C:\Users\Admin\AppData\Local\Temp\367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe
"C:\Users\Admin\AppData\Local\Temp\367a433c3c0ed17b7bbbd8b9e58764f9a0ebcf599872153d1dd7fdfd1629566f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

Filesize
115KB

MD5
ddc9d73b9a6f8d827e99e6251832be97

SHA1
0781dc5d4a4be37696f7c603c4b2e636d70259e7

SHA256
366fbd2eb1fe4479b8d1c02aaabbf67131e1dfda4a16ff58fd322bd74d948f28

SHA512
08d8a790bf6731d5b9b29e928b8c088fe8609be7bf1bbf1cc979b3f622e874569b2b5e8de03b69ce63245a46b97c063ebcb6507a0478bc65886c3695564c5267

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
124KB

MD5
a741147a66785b735102fbe2f780264d

SHA1
c1f6adcd33fc69647fc1b7fed083c2c96131bd50

SHA256
6ce73b66d120054b300bfaed0d247eb3c7c3494e7d00313caa22c312f0d6beed

SHA512
ef5dbbef8fa022bbf0742a1ece13d7cdb8268ff20f78687435e0b8f298b2081189c20769505e905e8fd57aade97ec6e8a6d6f0725c249507b43cae379d80ed41

Download Submit
memory/2112-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2112-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download