38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
Size

79KB
MD5

98d45e579e4b113f184091f9af7d611d
SHA1

cc3c91706d9be1ebbfff24344841b5b4e37cdce4
SHA256

38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9
SHA512

8b43df502f2693fda471bbf9b3a9591a6869a6683239ba55c8b911956e4dfeab00e87dcd404e3ba863abb836f6418f0d1154b2c46b3c51752abc2755842fc12c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15RK:V7Zf/FAxTWoJJZENTBHfiP3zHQtMj8/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/2116-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST5EDT.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe

C:\Users\Admin\AppData\Local\Temp\38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
"C:\Users\Admin\AppData\Local\Temp\38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
80KB

MD5
04aeb6e17231b0211d392dd70568a490

SHA1
840ffee3620a4192ea4b0e033ad027f5c80177b5

SHA256
7631e1572c03f2e02f861dd343d1994803837024a097ce9f7a8cfe4f5e2f3d34

SHA512
d1a6c1fd42746ab9554a22116abcc8a3c955b75d0ccc6e79a35cdef2fe0871d1105e1d8606fccaf897bbce6e2804e1fc56269fbfb129a952c489d5d6ca09af4d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
24e4acfffa20bee98b5410097c8969e2

SHA1
29876f1cd9fcac50f359eeb8a8ae4df092d7e38b

SHA256
3ef8d4f33f6afd21828de519b8acfa6cec330cd4b193c1b2236e98d48763a194

SHA512
3c373cf5b2b7ad5e7bab1758dd44d2a2e60b2977c692dcbc0768bd74c94de3edce9453dce84d3455f462cfcac3cb0d1d066816f95300b8201efb56fd9297f694

Download Submit
memory/2116-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2116-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download