4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7

General

Target

4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
Size

73KB
MD5

5b409b566fe31b289dbae2a81e6442cf
SHA1

7e02fd7302d659b6be7dc3a43db580d935d2cec5
SHA256

4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7
SHA512

8ce75415b0fbebddc6a08a27003f847233e898fc84e6f265e5c064fd61177f96b5d1ef8919508b26961f9bced490ff5f6b3f4e69cc088830c1b63167b871095f
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/QbUkNdNI:+nyiQSobUkz6

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3454) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
behavioral1/memory/2380-636-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2380-636-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Mozilla Firefox\locale.ini.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jre7\lib\plugin.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp	4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe

C:\Users\Admin\AppData\Local\Temp\4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe
"C:\Users\Admin\AppData\Local\Temp\4a1f08041ea213d211d22ee3b4c380886a221ce394d59f2845037b098e2271a7.exe"
1⤵
- Drops file in Program Files directory
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

Filesize
73KB

MD5
d6abe1603ec7e1f1ac5aef98272d8194

SHA1
5c92d62a57f31cbaa10155ceae25c9c19e3c3e16

SHA256
9610b13d8997126b31dde70a661458d72aaeb3289b10dfbb7860e4cd40d6caa9

SHA512
07e3065bb84aba25661f2234984a55df0e383259358ce2a659d24b867b178d37aaecb7c0a76add3014d334f92ee4707ab59ca966455900061c6865d18587fd6e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
82KB

MD5
4d1af992d26bdee9af900b30d6cff5e8

SHA1
029f6e5497919b5c31c50c4f798b8ff99fe8eeda

SHA256
7d894ea6ab5e0dae3b7b34e1936a4680a7d231e4ee63f98fc4b974d9f27cd7cf

SHA512
96ffb8e918d885eaf9ac8d5ff138b50643a61838b81e225ec571fd24768415db58181158b069a0f84c69f9c4ab7cf0824d53ec427aa5485568d6d7c9606209b3

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-636-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads