6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
Size

36KB
MD5

2f6da7ac9208fd87cc26f223173fc900
SHA1

377b3d4e7c0482b9b2c73ecf699499303316a1e6
SHA256

6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898
SHA512

91be5d3996dcef8e173d211fc51c7db579b07367eb9f1a0478813a50a0e42191874fb518bcd645d88b1e07eb25ad571ebc3f274a755b4f9b52fe8b3012aeb119
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15R5s:CTW7JJZENTBHfiP3zm

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2951) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a00000001225f-2.dat	upx
behavioral1/files/0x0002000000010620-6.dat	upx
behavioral1/memory/2368-65-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\security\javaws.policy.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\FormatWait.mpe.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\MeasureDisconnect.xla.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe

C:\Users\Admin\AppData\Local\Temp\6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe
"C:\Users\Admin\AppData\Local\Temp\6527ef3d974c65ef183845b78f99154d7a49763d38063a39fe563ebb4502f898N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
37KB

MD5
d4488e325c9294e71a83a89b17e43d42

SHA1
62615eda7b172228fc9c5e51e90301f944cb73c4

SHA256
b05e100df423ec98e347215679d4d39d4ffc0c6555b9eb836f8be54f020b3d8d

SHA512
87d44b3312ebaf6694bdfb08f01316ed79809f3986a715c2d085df3e7fc93e57b80fe9a3324482e07e66080df5ddfea9d25273d804311e5c998e00379fa79353

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
3f5eb4ce5bdd06cbfa5c642ac1520efc

SHA1
1199f86a94ada361b86a4273dc5e5dc04c81dee3

SHA256
eb56b9c7ad27665893b6b369b600dadef510dca1391a903dbba33cc59508c0a2

SHA512
b2517bbaf97d421f537aa629b75661a208123a1a38929d84ffbd1dd2938edad228c5760be9786f6e49e2d16284631dc1123c9965aac56a498acf04422d68622b

Download Submit
memory/2368-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2368-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download