81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
Size

210KB
MD5

536a1aa0e02e95af1701f6758a955a27
SHA1

3e83738829fdc3e284ecbe81a05f2797b5d65e6d
SHA256

81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80
SHA512

bdaf2e75e8427220fb68a1c549c5239a396f7393e78fc669e55fec24d00bc5f062763a6b2dfb606bc65a1cfdd2b8467989bab8aa7dd971614e0599722a7388a0
SSDEEP

3072:fny1tEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPP0:KbEyyj2yAIJbIjNDv0bNXkbvLiP8

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2599) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c0000000122e7-2.dat	upx
behavioral1/files/0x0002000000010664-6.dat	upx
behavioral1/memory/1404-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\LimitPop.wvx.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\ext\meta-index.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\OmdProject.dll.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Anchorage.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe

C:\Users\Admin\AppData\Local\Temp\81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe
"C:\Users\Admin\AppData\Local\Temp\81e13f2a1945db30b65bbe904a75f3652009d8fb1d20309dd48333c710308a80.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

Filesize
210KB

MD5
47c6afdab06c24907d4dbf88e760f66f

SHA1
c71660518bd87a14b89ba8c06f454d20625421c3

SHA256
c03332bb5e9ffd58cb4ff25e52abc3262ef685719cf25756b407f627ff87fcf3

SHA512
2611660eb71667f9fa042f97276d4fd3ec9c93fdbe03fba735c85c616abd9f89facea8ed9bc7600b822b683a758e77a650bea61f19d16854c559c5e00224ed89

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
219KB

MD5
bf5af98b7ec6d3ca2c5b7262f3bcedef

SHA1
eb02ce9aa86a7c27ac0b5b7c0bf432d10555c65c

SHA256
38affe595ff2cbb752cbfc37399b6e64d23d55347e2b7344069aa2c275dfddde

SHA512
70fb5fefbf15108458aa4f1c82d66bf29e13ef4f5543bff1d8da01132c62a3487a5fb6d88d63d47d34736ffcb28ad96ecaa30429e3c620dc3ad9a29091580310

Download Submit
memory/1404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1404-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download