d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
Size

81KB
MD5

00c5970860bd59108bb62088f360d4ca
SHA1

2096744c436fb4cba941003ed5f619004d672b90
SHA256

d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc
SHA512

5247a0757e1da01c5f7f290ee7db3d74aa6ea7d9941b1832e029cbccaa2f10e4ec663821f64e66ed9848badf1a714ef087eaaff3d1fad9414a4db7c27f52801e
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7Np:V7Zf/FAxTWoJJ7TTQoQmoNC4Co

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2845) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c0000000122ce-2.dat	upx
behavioral1/files/0x0002000000010621-6.dat	upx
behavioral1/memory/2524-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jre7\bin\jsdt.dll.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe

C:\Users\Admin\AppData\Local\Temp\d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe
"C:\Users\Admin\AppData\Local\Temp\d0d3ceda3ac427334cae4d6c6657594ecd06dc79153c6ba4a12dfbd367f3b5dc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

Filesize
81KB

MD5
58f0c11658c12a18243e08c6c24c15cd

SHA1
5a90bb7ddab53f0a486234906b9590c502b2fd2b

SHA256
79fef52b983c02fee71133d4ecc1820e967f32d91225df16b2ddaaad2ba1ae24

SHA512
6baa4c03282fe29e72110771475f546b861dcb6a68b9e36bb6723599489fc0640b3f03660865865ac977a570946e111a7f6fb74e8142562886af1efa3ea34f5b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
90KB

MD5
2761f496b32d2d96f9afeba987fa81e1

SHA1
c76958e7eef281c7ad04777c580e52e86a02f49f

SHA256
0b0fe849ac4fc96ac53ecd053bd51344708fcf5c26b4b3e87ca8b64a2fb27ca2

SHA512
0236004775afa2b57f07f689e5170aa3487c4f69ace5e3847d6fc062a57fd92128116646629e23cab61a9913badf44aa580b92239ceae2299f5a2c996372551a

Download Submit
memory/2524-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download