f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
Size

74KB
MD5

5a65934456a2c51ceb777930e3a9560f
SHA1

61a027500cb1da73f38d44223e79633bbb7b1eb3
SHA256

f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c
SHA512

f8f2a472dd3a40366b1d19349c79b1ef05840c0c174d23a73f4669f222225bafec4f7ae88761586251eea68a978021ce27bda3dc7054d89bac031c27f9c7fcc4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15Rp:V7Zf/FAxTWoJJZENTBHfiP3zem9

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2114) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b0000000122cf-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2324-50-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\InitializeWait.mht.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jre7\bin\dt_shmem.dll.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.tmp	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe

C:\Users\Admin\AppData\Local\Temp\f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe
"C:\Users\Admin\AppData\Local\Temp\f27b2a0616181a63c2b3c4737ce1c26ddaa47fb061d75c253d7249ab2961195c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
75KB

MD5
2e5fb92f9bf8589cf3a503637946ee49

SHA1
c888cb072549aceaf30fc904530db84a20a5fced

SHA256
523cecd39e378b943e48968b9361244903fdde48366f0972862f4b34011a6df1

SHA512
47affb3fef393cbd74fa0c518992331a78fc742fed5f0136f9192aba25a5dc07be0462c50d1cf70c80d2c4409a99682054b303f6792a9046452fd40b75f5801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
84KB

MD5
ea20baf68ddcb2cf6195f6d7a45f261b

SHA1
c619f10a472c1fac04a6ad1a4afd51b99bc8d7b3

SHA256
91c10217a51a2ebc17b32446b75e126f82c0652e39502fdefde473015da6baf8

SHA512
c67fb77eedaf1ba006e6ba0bb9c877f92b1b87ea6cbf8598711d836bd5945ee5b26fb32a12393dfa3c1ca4eb5030d595bda0a442b324e9e84929bd320c0f7cfd

Download Submit
memory/2324-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2324-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download