2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
Size

86KB
MD5

8f5c8015db87c61f0d6a17ae0fe3b08a
SHA1

0902002c9fde58529304d0b84d30c59331d40e87
SHA256

2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b
SHA512

d9632595d6e972a1bb3c1985a22c9c20acb403b12bc64900c7bddf8271c046c9b17ba326060c8dac153af80507bed33d0cab9217f1a36682f0ef00e8d47fd04b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7NH:V7Zf/FAxTWoJJ7TTQoQmoNC4CTPeP1

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1656-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-2.dat	upx
behavioral1/files/0x0002000000010485-6.dat	upx
behavioral1/memory/1656-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\ConvertFromEnter.ttc.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe

C:\Users\Admin\AppData\Local\Temp\2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
86KB

MD5
e9469c489d349c321d103659ff042369

SHA1
b9481b07e8f6fd480af67aafc8567c827ee66a56

SHA256
3c8384bad64ee325f4603bfd07d0edddd2623ace8c2e020e3ca0bd2dbba97ee6

SHA512
4c7087221a757da6aadcc80ad37a0beaa6e652d41d8ecc23b948dbc86b14cd9dc6fccde606d38539da08e34f8fd70d21a5bd87e646e4ed0f57095a8b3f454773

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
95KB

MD5
3fdf8dbd0bc6f323aa6c4e0ecb0747cb

SHA1
48c3133213b10cb82ca2326567ba709c4f87bb1f

SHA256
8da488f0345d33fc51d0256ebbb5fe7640a1c8a18b6e96eac786b3491a2454f3

SHA512
6b4010c5e4c6d9d8569bb2281aa685b672808917da58f380d34c41d9b9b904999c3eca4b4129b9eb2bd46a25e081670438ab7f4b0805e748bfbc095a65b94639

Download Submit
memory/1656-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download