936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
Size

101KB
MD5

8f8b93cf86cf9d2837f5aa881342deb5
SHA1

aaeb9cbebd13c3959e03708a4185c4d726e360d0
SHA256

936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8
SHA512

259c3ec046e09fa0a0487778ac947c36cea47e46486a788ce3e9c0b2a47464978be4b319b19679c50ac8584a72de964b9e6d62af1ebc7e686740081868672e3e
SSDEEP

3072:htEr9iMGfUSaOy9SnJUwFU+FUhFUeFUXFUqyqKRrpF6PwZ:fEr9iMGsSaOyiM

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3287) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0003000000012000-2.dat	upx
behavioral1/files/0x0002000000010664-6.dat	upx
behavioral1/memory/2656-63-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\security\local_policy.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll.tmp	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe

C:\Users\Admin\AppData\Local\Temp\936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe
"C:\Users\Admin\AppData\Local\Temp\936b6be955e7a6a5319da01208440ebcbcfe392e8763816964ac9619be6d54c8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

Filesize
101KB

MD5
bb5501d13c282e6fbe6c78b6baaf8290

SHA1
3e2b2237d408e5095a52b59d199c12ffa4d6a1c8

SHA256
cfbe51815287a559cbdd0e0cb74a530c2d57ee61e1a1a9474633891bb47e154c

SHA512
c22f607d3087f2f78254e33d622964af99a9582695fd550d2e9ac0535b7a861f23c096bf419b4ab3e4f14f9db1a284ddc4ea1f0b62057cb07f4141e5e8868eef

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
110KB

MD5
afd22f166846311bca0f6aea36e0da42

SHA1
6614c7b6e1003c187b89714570600f48480cafc4

SHA256
118ec7f15c86da920d1427b5df14b058b2aa820f4570a8f0129a7bad99e7a0a3

SHA512
395c61c0279313e201d7ff1c723e7ccb6031d75cba82fc7d3eadc6178243f241fce698c1d36ee2b390229f6940ed7c577e284454b999bfdd461d29b76c092566

Download Submit
memory/2656-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2656-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download