27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
Size

95KB
MD5

6481ca0040f505ede54eb7bdb7c5d764
SHA1

8b820e1df79dd3695e6e5b5330dd52a17160c700
SHA256

27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35
SHA512

e9643adb07a1b7cb81cead2907e157a92e7672e46ad61db18966c18f373660db28e9ff892da3d9a9a74e21b0f23a22e03058fd5850700e852fb229f533fa0ca6
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7NS:V7Zf/FAxTWoJJ7TTQoQmoNC4CXkty

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b000000012280-2.dat	upx
behavioral1/files/0x000f000000010617-6.dat	upx
behavioral1/memory/1304-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\NEWS.txt.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\New_Salem.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\README.html.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Journal\it-IT\Journal.exe.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe

C:\Users\Admin\AppData\Local\Temp\27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe
"C:\Users\Admin\AppData\Local\Temp\27a1ada69c03ecc4a0b37aa82d539a47e2221a31b3c989c79bebb830b4c98f35.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

Filesize
95KB

MD5
0e0e63c02f0af8068634cd14a314094f

SHA1
aabeffbe4b3120f53a8f94ee808bced325b0f877

SHA256
f45a67817066c8f464fe5dabdc0a219f1fd4a3ccc1f7ad84ce292ccbed19d0a2

SHA512
11cdfcf563f4031c6d4253a8a62a1fbca9548ce57c23f7177be5fa14bb7eaec14014b8d5b7406dae5ebfb92ba87f24667707bc407ef1874ff87b3264c55d2e2d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
104KB

MD5
c4f26583b8c5dd6d9063e9b30c7ee6c5

SHA1
882733a7e6f495f89a3ab4cb484b1dc3e9d0761e

SHA256
5f18385d227408b0760edd8427c84c3c89a89df03b85d56d0727d67dde6474c7

SHA512
d4f20d0ab9d3ac766f1d33319cb104e1669bcaa26970eb2630f7675f49c10d3e86609fb3cf96e640e636968f1ca877d268263d3c48d7ae16313163525f974eba

Download Submit
memory/1304-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1304-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download