3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052

General

Target

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
Size

51KB
MD5

8b1c98687ac632adaaabe0a53250fe08
SHA1

a5e0583290f068010710bbd65412c976b9cb8046
SHA256

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052
SHA512

b39054d74de2fb677952575473b8fc0377a3d874afcde6004fb555950213b6f66f56c209e5be696eac26c335a324fccade2ac24fbe9cdc68abc76e4bb4a83cef
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFFi:CTWn1++PJHJXA/OsIZfzc3/Q8yi3nG

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3732) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
behavioral1/memory/2188-76-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2188-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\SkipClose.ttc.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\bin\jp2native.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Panama.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\VideoLAN\VLC\axvlc.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Mail\en-US\WinMail.exe.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe

C:\Users\Admin\AppData\Local\Temp\3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
"C:\Users\Admin\AppData\Local\Temp\3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe"
1⤵
- Drops file in Program Files directory
PID:2188

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp
Filesize
52KB

MD5
03b8b4fe8cb6e760709516ec0e266a98

SHA1
d12e4a40887333f335eaf5b58784b2c7b14ac740

SHA256
9173c31062b775fc159675ef42e8c07a288a6a0b8e5dc471ae7e23763c51eed5

SHA512
efa0ea75d8ff17b1a0faaeca9fa5201c08c8726ec42cf389a0ec4a8432bba589220891879cebede947cda1a399360507449128f2fb937b84e6ca4ad8773e13fa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
61KB

MD5
28ca8ad18b0a4ea6e58f2deb1ed9a7e4

SHA1
acb31a5b8a78ab61a53d4bf589d9ee1641e6bb8b

SHA256
6ce9110af21e388d5fe2c022252b338bdcfc7b2698a0387c5da3b3405837441d

SHA512
1901555eaa882f692ee6b0996b93b87079c3dba9821c0553dc95cd6c248a5fef098620ca2d9786206ca9077805645486b040598d35f29e68ff0410c95d34a6b0

Download Submit
memory/2188-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2188-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads