fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd

General

Target

fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
Size

97KB
MD5

2bc531a3f81217bd96860e8e54e89fe4
SHA1

adbee703bbde51289e81805b9c80cafba17f4743
SHA256

fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd
SHA512

35688a0a170979f5a2bc251d020dccd02be1157db19c7a4c1f91b44446c77169950e5dd78b29152f89ac04efdd5b49beeba731084b59250b454fe744fced99fc
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfa:hfAIuZAIuYSMjoqtMHfhfa

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
behavioral1/memory/2604-76-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2604-76-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Media Player\wmpnssci.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\bin\unpack.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\bin\gstreamer-lite.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Internet Explorer\ie9props.propdesc.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
File created	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui.tmp	fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe

C:\Users\Admin\AppData\Local\Temp\fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe
"C:\Users\Admin\AppData\Local\Temp\fa8de58d621af97295e74441dd3467cb551773d24a49dcd0c9a069f5bb3e7cbd.exe"
1⤵
- Drops file in Program Files directory
PID:2604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp
Filesize
97KB

MD5
7f80455e5f873cdb68301dcf3feffa4e

SHA1
8098591dc66b286e0e5a313b3b13173b2cfb17fd

SHA256
1f667fe92c7bf7ccad639b0178526648c4aa5843e5fb3cdafa4e4945e19927b1

SHA512
d9a915666bf4915c26499acc62a62a089b068dc511a95b8ebb744fd12f811317586dd81b5e33f72a02d9f401759b7556c5d007b0f2519d00cbda9a31bf8ccf30

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
106KB

MD5
617e435b8e303c1f9c39a437c4db2564

SHA1
15faa527577e6deb6bec5554ff1e42a8aa1b547d

SHA256
dd8044abd2bfdaca95bea955e4ef723100eeb6ffb9f47c553b1ff06d37206046

SHA512
d989b5c454086f725241eedb6afe3baf73f8c8c944deb75f76f9410197b670daa1bcd189f40db0217d284c22fae1a559c25a34a913c26246364c0c4de6825ff7

Download Submit
memory/2604-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads