ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f

General

Target

ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
Size

62KB
MD5

135651f92099ee916426bbe64c409965
SHA1

697b452e0b2c0e4f54fc70f1f6f6453d8f69701b
SHA256

ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f
SHA512

bdc3cf148f71fabc00304ffab004c9427967e130073412bc284bf246fc97d3ce4b96c2790f3dc15b83a05e813538c1653cfff3b7e51bb8a74daaa7869100842e
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8A7:+nyiQSot7

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
behavioral1/memory/1160-528-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/1160-528-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Mozilla Firefox\precomplete.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Mail\oeimport.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\bin\jsdt.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Monterrey.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.tmp	ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe

C:\Users\Admin\AppData\Local\Temp\ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe
"C:\Users\Admin\AppData\Local\Temp\ab0ea4b1c2d3e5d710f98a3c4890a1de9aed0327d2ce23068236bfe5d06f507f.exe"
1⤵
- Drops file in Program Files directory
PID:1160

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
Filesize
62KB

MD5
1a7fb1ce0cccac006e53799de1da79eb

SHA1
9a46d68043f0f7d028aa0187355fdc4f7fad5048

SHA256
32dd0e356101d1d0262d71e9efdb078db91212789a5a57991330b212364bcae1

SHA512
c801e5b3ee0359037a73ae758e5d8a3ab9206846fc79cc1f045def03476c40cf27d7c6258d51a173b4fd1de25c400b82a46fdafd76db567381db4ac14cc21686

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
71KB

MD5
046e1f92664fe564034ecfdd7c09a100

SHA1
07dbda49d9bff120ce758fc21350ca4ab8a542f7

SHA256
25336303f4d2bfa1bef23c446cbeaa8faa711025df6ec9a2d7835e61aa2ab4fb

SHA512
c4b7d1e1eb763e0e6c11f80ce9870c3d34368ac80bb6386b6e25923795e818230425c6ccc0a4fd2abc8d30bdf4930f93e2c3731a381d68a1c6aefcb427e5631d

Download Submit
memory/1160-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1160-528-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads