20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
Size

388KB
MD5

da0f14119953ac4270081d51ac4a5e1b
SHA1

a62bb58075063628e06ffb2da70f4ffa2267f88b
SHA256

20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab
SHA512

1f43cfc2a38f7251b54694a3687e2bf718d7decbf591732c91baa0783b4f9a0e0ac1c29ecccb81aa49404e579196f754b961a47df275b2d8d1943057292570ca
SSDEEP

6144:KbEyyj2yAIJbIjNDv0bNXkbvLiP8Eyyj2yAIJbIjNDv0bNXkbvLiPe:WyAUbIZGNXkbvLJyAUbIZGNXkbvLp

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2635) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000b0000000120f6-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2900-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\management-agent.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Asuncion.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe

C:\Users\Admin\AppData\Local\Temp\20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe
"C:\Users\Admin\AppData\Local\Temp\20e7dce4d7017bd8eb02d413a50944cdb730ca6fed183edd329a06b296f691ab.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
389KB

MD5
c870ce0f276eba38988a5ea68123a505

SHA1
b30c131d55af3ddb862387e405ab665ef402968d

SHA256
de021b668a4dbc93c09fac1903e0992896d85c1df64e9f48d9847ee845fbfc85

SHA512
eb3b85ef053f6f922caf73e8197fcdd1d4dbc7f70b78ccb26ea98ad6a276f75e4a5d15b58b288fbfd771ec547f2d86ff53703fd8ffb6589aea808e7d83448fb8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
398KB

MD5
d6f80247a4595c76c24bf5700c0fe253

SHA1
66eb19ca88ce13ee408d957ea9f51b540c66ba7b

SHA256
64936373d30e91a513c5a5e6d832993ea4331438249eb6e3c3fc1a83dc1d63e9

SHA512
eb2306e3e024868c92f82782c4fe3c19a11fbc07bae229c0a7b0c33c18b6876cf3087d7d6f6d67c14382a5dfe76d148d10e71f96b4cd0f5e1fecb36ec2188e01

Download Submit
memory/2900-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2900-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download