80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fad

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
Size

386KB
MD5

1ffb52b63f07303ebc22658e046f4ad0
SHA1

c94a762051b089d87314c5ada5bf6717c6504dee
SHA256

80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fad
SHA512

a9fe5fb486712f5d5b09974b919ac68dd6f7998b5964f75ea1379a80ba7ecc25f3db98965756da0fca75fc97d74108d1149826c1efc9d5685ac10c05cc60714f
SSDEEP

6144:KbEyyj2yAIJbIjNDv0bNXkbvLiPpEyyj2yAIJbIjNDv0bNXkbvLiPx:WyAUbIZGNXkbvLcyAUbIZGNXkbvLO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1841) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000d000000012261-2.dat	upx
behavioral1/files/0x000400000001043d-6.dat	upx
behavioral1/memory/2340-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe

C:\Users\Admin\AppData\Local\Temp\80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
"C:\Users\Admin\AppData\Local\Temp\80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
386KB

MD5
a588a5c66de4230a2563e61b5e09d96f

SHA1
a506fe02bfb25008afd344afcfb42865d8e83d08

SHA256
9693175bf8da08233e2ccfb2492e0e40bc29663c513ee45014136bdf73376b75

SHA512
d65b3db5312e01a0c7b5b6cc2d5596c63aadf8c4604c021ea360f0971583d185b6b84d802af1ddb4ae052260bfdec6cbd474de75b6d702e66291287fc90168da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
395KB

MD5
c85e8570950817c82cc7e6ba69b8598c

SHA1
a0598adc236187885a572bcb8d6acb771141d3d8

SHA256
2eb3af7a5697792549e95ed20a4a1d9dacd106702dccee5ee7ad3238b8c05b6e

SHA512
1bd4637a7bfbd416601ea781f913a4706a4148584a333f96018692d85e1e67cf2166f0cce4132e0279746ffd6238b085d1e0763c0acce23ee77fe31d0b072c3e

Download Submit
memory/2340-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2340-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download