420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede

General

Target

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
Size

58KB
MD5

1b279bb71618661f62f5623fe1ffd8a0
SHA1

9c7626bd5f2c6270fde7f4c9f64960174527641a
SHA256

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede
SHA512

9b842d77f73691d63adcb5cb62f0ff0f75c7b0474af78421a76b18f885095502325f1cc52cee53f3a3c9e350f296a1909598f108b91a37dfb56298b570315403
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFaz:CTWn1++PJHJXA/OsIZfzc3/Q8asUs0

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3497) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2248-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Journal\InkSeg.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\skins\default.vlt.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\wordpad.exe.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe

C:\Users\Admin\AppData\Local\Temp\420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
"C:\Users\Admin\AppData\Local\Temp\420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe"
1⤵
- Drops file in Program Files directory
PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp

Filesize
58KB

MD5
5433eeb01a9ee903a1bfc8f295e2e6b6

SHA1
75939d408823d7cffc7be4003507ac6dfb8d456d

SHA256
bb4bfad28c6d1f4afca3bd94d356a125d6a49f6411de60981af906ccb5c39abf

SHA512
8006ac72cee4d56ea3b8eb53de1617d3133155bd6056288a49f7d809b6f1d7ce859d7569834b3046d300df7530deeec6779b6bdfe5d5bd6d1d9f2534946bfab2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
67KB

MD5
41c657b14aa9b7b83f58a8d867db5c53

SHA1
13b0b2bfe796047467a4f9027c7e19477b4b0b5d

SHA256
4d9aebd413cbf8c2af86b14c1b2fa77b919f974476f4b6546224c446ef2e5d33

SHA512
4e6ebe4d9ae6a96d76c9df74dffb82fb65a4577f59963c32d7a2088658dfb392d96b37886d0a986f9b0fac0920ba560ac326a732d0f390f70177c4d3d5a3356f

Download Submit
memory/2248-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing