169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
Size

184KB
MD5

58dfcd37869ab90e69bbd8c5344549d3
SHA1

d2f7b261313f2af56bc76d21ca347eb7755f8ac4
SHA256

169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e
SHA512

e4c0501c196ca52d7c0ebc78b2700ab0352069077b8ff8c1b2411b35d7cb6d2076f0a7e32c95697b8ce874143b0f15f6cc6e0d20546d9618205dec454eb9e50f
SSDEEP

3072:htEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPW:fEyyj2yAIJbIjNDv0bNXkbvLiPW

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2786) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b0000000122cf-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2380-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\System\msadc\handler.reg.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\security\javaws.policy.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\content-types.properties.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe

C:\Users\Admin\AppData\Local\Temp\169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
"C:\Users\Admin\AppData\Local\Temp\169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
185KB

MD5
08d5eef8c02de97820f5da21575ce451

SHA1
a8fdd3873b01313b2fcfe9f8116ad6ac59b6b05a

SHA256
4ff7081eace3a326567e072e3f06964cb9a6dad6c0ee115d4920c956ccbd3d8f

SHA512
62a17aa32fbf762f3b8c2afe9a1162ef05df6a53c73e16107e6bbef64a83167bac66ef707edd0ad5079fe22b12f5a89a92d89ce37b33d9d7631577b429ff127b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
194KB

MD5
5431dfda30174169c7db357e30cc2169

SHA1
7a4186aae99e27764260ea7127db09e4b840d828

SHA256
eea5f30f60e5b09fbf894ae897b58c22d2e2c4447cbf629e31138cbd77d81920

SHA512
d4bfc523b6d552c7393cc9e19028c76e079f79da1f486e4407370179c5140493aa03bfe9c3b21b3efa0f80147707da2c2700f3959df9b9f0363292185f097f6f

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2380-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download