141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
Size

44KB
MD5

9122d3572e783604c04fdae2011961cb
SHA1

8b1c720bab6f75ca3e5f3e18ef9b9bd2b11707af
SHA256

141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54
SHA512

80d55037ce8a4367f9cebe0ebd0cdf61818624d92a9f2d5920b1e2af11da41d6b7038f2aab76d9011d73768d533e52af7e1d9d54559a2d728402880b13a7a2d9
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATB7JGvBJJGvB2:V7Zf/FAxTWoJJZENTB7JGvBJJGvB2

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2810) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/1520-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Currie.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Perth.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe

C:\Users\Admin\AppData\Local\Temp\141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe
"C:\Users\Admin\AppData\Local\Temp\141499b43c151bcf32b5b6b5274698fe4bbcda6210fbc6a6aab2868d8eff4a54.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
45KB

MD5
f24b1e8454dc50a6e5864fff7b7901ab

SHA1
c457808171ef2d18a3cb192033b46d819ddf8064

SHA256
25597e55783c4197c6618c3afe25aeb7808b6c121b6e27178f3aedd2fb5339f1

SHA512
13eed46744f2881606d377fe41107227907ab31e11cd1fa5b252bc3031f646614c53276e3854a126be7db536132696a6245e7031d9b8a69d8cc60acd2cdb9cbf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
54KB

MD5
1151fd287d6dc71eb1a083397be4e9af

SHA1
d275a79f4bcfd5c6cfd1f9c459950e10b7f4d232

SHA256
fcb7ec7e0dc7abeacef99eefb48e08f0e3bb7715e48ba5def5db39db19f97a62

SHA512
8acfec43b31a9877550111b6a7ce008bc3021830b5d70ce9963a208860210a9c05e1ca93e2838254955055b7c2b6cc8aa4e1c9caa219b61f4071d4e3f46983f5

Download Submit
memory/1520-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1520-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download