7f22d2be151b3fbae51b1e0bb569bbc85505daf241c0c2b9df9db7da5e1618f8

General

Target

7bd7d11e6c951094c85962d2415ebea0N.exe
Size

27KB
MD5

7bd7d11e6c951094c85962d2415ebea0
SHA1

08dcca511267ddbe0ad72dac8a9fa23b5cc83d03
SHA256

7f22d2be151b3fbae51b1e0bb569bbc85505daf241c0c2b9df9db7da5e1618f8
SHA512

e305322872344c61660007ed7a35e0096177d0b7d863b751111f07aa2cc4b5bec9fdf5b5fae361aa82e3612ad93163eaa6cf87c7de93dddaff6ab264372a1b92
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUE51lAwJmdSmd5:kBT37CPKKdJJTU3U2lY

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (267) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/3008-20-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

7bd7d11e6c951094c85962d2415ebea0N.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	7bd7d11e6c951094c85962d2415ebea0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7bd7d11e6c951094c85962d2415ebea0N.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bd7d11e6c951094c85962d2415ebea0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bd7d11e6c951094c85962d2415ebea0N.exe

C:\Users\Admin\AppData\Local\Temp\7bd7d11e6c951094c85962d2415ebea0N.exe
"C:\Users\Admin\AppData\Local\Temp\7bd7d11e6c951094c85962d2415ebea0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
27KB

MD5
9d71284e6ed32a3d37d65ebef6c4485b

SHA1
376f0033899c580f187ba0906b198047b0293eab

SHA256
f821761f77a68540b430f7c3d18466182e9e9363f85b43b918428390218f6419

SHA512
35239668bde7732ba83d72068a3cc289350b07a4ff063e1fd91fd133c32e668e1470225bae1e43b9cf2d5a7613c9a14f371f188ce6b3eb0b8a2a9bc275bacff7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
36KB

MD5
5b88d1929f78d62bdb62b4fc965e344c

SHA1
1c929bc95ca123ec45829f447a97a0df45036124

SHA256
c3d2b49dca3a0756799361cb8d2f3e87c7258c80a87f1ea66a939e5a1c7843d4

SHA512
e6c8c0d27b6a6e5f869998e302339e72c7dc29b031b677c00a1cc0a8212d1c9a20f5a65686055fc1b87979ab9397c1d1e96c7ab9d3261e76f7422a702bc450a8

Download Submit
memory/3008-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3008-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing