60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2c

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
Size

183KB
MD5

290e036375d560807af6d3db7e967f00
SHA1

62a6000304357d2226b5dc3cba350191afde92e8
SHA256

60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2c
SHA512

410fb1ce3bffab52361ac84d0a0d130088b02fc82f9c4345fe6b59ccdd89a2a808a251fd12f659b5442239abc3f3008963c843d62ed5147635c8d22f1b69ab0e
SSDEEP

3072:htEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPz:fEyyj2yAIJbIjNDv0bNXkbvLiPz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2722) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000c000000012280-2.dat	upx
behavioral1/files/0x0002000000010617-6.dat	upx
behavioral1/memory/2492-70-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages.properties.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\bin\kcms.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.tmp	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe

C:\Users\Admin\AppData\Local\Temp\60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe
"C:\Users\Admin\AppData\Local\Temp\60407a417d259276f569c3128ef3d4e8d6d9b1197f0e230d5e1adf7c7b651d2cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
183KB

MD5
27ca44c75ae48792f3ddd6bc75dc7b1f

SHA1
0f26199a4de77c872d1448e6454b76693a9eb481

SHA256
8ac6d45ed73d96ebb0e155433564cb98d57679ee766bb974676f7de9550338a4

SHA512
47be0e10462d09e28340ad7230c24168393088c37f1b8a34b44bdc1ef02ea2cc906e64a292fccf9ebb812e24ba27f9e0c9b9753a51a1955e540f0f063549bf82

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
192KB

MD5
ef0475c7d7122e7c66df2e1d87ca6ce3

SHA1
6bcc1b6b53f6458ca9299c8f467335e4aa919e5a

SHA256
47b2ebbf3032a8c68d07398360f275441a654f9f7ec92510da491a1632dd5132

SHA512
c07b5bd1bc1ad245ac4cbb08fff9ee1588ec6cac7f7db207db7a3d020c019cfef5d98d90ecdfaf3a805e1fe364d701d175b18aa87cd63792a32ff0d00f2c71a4

Download Submit
memory/2492-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2492-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download