95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae

General

Target

95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
Size

20KB
MD5

7ced5e21c051b73a709dc398189e8cf0
SHA1

65af3059528830739ba58e8905ec21b084f238e1
SHA256

95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae
SHA512

e4d4fc055d738c085ff2a3fd3daaaef536945111ee359054aeb4b0427f0443ac147a5dc688c5fa44aae83b7bab439e26d4fa9f67f85dfc6ccc165a0c5a1819c0
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJcbQbf1Oti1JGBQOOiQJhAT17JP:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJ+

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4666) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1468-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1468-848-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoDev.png.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe

C:\Users\Admin\AppData\Local\Temp\95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe
"C:\Users\Admin\AppData\Local\Temp\95b140d7c154cf22bc0896c283e9ec378b479f32d706ecc5ffeae58e7f3e65ae.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp
Filesize
20KB

MD5
00c5209005b1cd9d39395bba637a7ce1

SHA1
84c99fd36616a294600969927387322943e30d13

SHA256
bf0d2430ab210f68db5c6c810e158137d9ab0acd4a6a0dd7725e223aa2d8d428

SHA512
fb3cb70b51ac9c7e789cd49570213648f6d9453cbe94cd76da6f360074fc0c5be0f656bc7839717cd6833038343b187ba490a36edd99b4d93a8aa1376fbe0111

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
119KB

MD5
dde75575a15941489b57677701f9c412

SHA1
201c87563043cea7dd5cd4de5da234e856b201c4

SHA256
249e9ea95a1abc3b2945da6632fa547b751916c3516dd02931b1e42f3ae61130

SHA512
3af0e441db9ba152c4cd90f34e02a4887126ba261eb37891a84f5f73f371ea68e61c396bd522c65316ac3956a4905c33ee2a8bdf0e65086c4d744555e9063957

Download Submit
memory/1468-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1468-848-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads