4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555

General

Target

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
Size

64KB
MD5

90a2a7b57235e700ba43c66a385abd6b
SHA1

b67759e4dec5af1f42aa3a548948a759f71b3833
SHA256

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555
SHA512

418a022a8819e0c9ceaa1bd339c325175953c6e05dbb48ef02bd45f89393e9c08362cd3c5d48ffc75af75034007baadd1a33aba057c632639e6ffb6148aa334f
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFufGWQML:67Zf/FAxTWY1++PJHJXA/OsIZI

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3607) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
behavioral1/memory/2916-652-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2916-652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe

description	ioc	process
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Curacao.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\sidebar.exe.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe

C:\Users\Admin\AppData\Local\Temp\4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
"C:\Users\Admin\AppData\Local\Temp\4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe"
1⤵
- Drops file in Program Files directory
PID:2916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp
Filesize
64KB

MD5
bba557dc694c66846c8f3f6a752845bb

SHA1
1286b1700929c0f2a16a41df3dbd1409785e5e97

SHA256
32d5be3300bc675c754670fe9340f6d9b52a249a27fa071d9825201d5b13ab10

SHA512
68865124390adaba585b76c44da85c7fd5a86619dbfec484b578b9f37611a43d0a71a4c3d10fd06761707171ac8b5e34c1e80863144b7faec6da24658a90f20e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
73KB

MD5
671f0f67b927a9d35b1c3517089a5403

SHA1
4e96b166a9ead6d5689d00d5acea7ae099096342

SHA256
d056e53e45f709436839c464041c941a4ade87395d4ac368910a62302f613efe

SHA512
f50a144d4a7e8027387fd3926590d68a136c95e6b9e0d810f773fb7e4cd374c38bb75228a616d298389e465c9dbdd4b0ec789dbe1515b0c53aa4e863e1a8f5ce

Download Submit
memory/2916-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2916-652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads