f77cfc919906721ce25e2fe5d067c42cfca49200f80a33e58f2ef42a6ff44f54

General

Target

9869c0b46995af32f20234c5d8afe880N.exe
Size

55KB
MD5

9869c0b46995af32f20234c5d8afe880
SHA1

49d5af279ebd75a6f4e868f7510f999ba0888195
SHA256

f77cfc919906721ce25e2fe5d067c42cfca49200f80a33e58f2ef42a6ff44f54
SHA512

ccbfb114a3aa32ab9b309ff9abd5a07de129f1a4bc94da10dc889260cb597fdbe5b0a836084475d33a652e6ac334190954b56beed6c9a85b3477ee2bf600e3eb
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/HggD5o:V7Zf/FAxTWoJJZENTNyl2aPF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2587) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/3008-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

9869c0b46995af32f20234c5d8afe880N.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\lib\ext\dnsns.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Godthab.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Internet Explorer\perf_nt.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jre7\bin\zip.dll.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.tmp	9869c0b46995af32f20234c5d8afe880N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	9869c0b46995af32f20234c5d8afe880N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

9869c0b46995af32f20234c5d8afe880N.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9869c0b46995af32f20234c5d8afe880N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9869c0b46995af32f20234c5d8afe880N.exe

C:\Users\Admin\AppData\Local\Temp\9869c0b46995af32f20234c5d8afe880N.exe
"C:\Users\Admin\AppData\Local\Temp\9869c0b46995af32f20234c5d8afe880N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
56KB

MD5
ba60920932ababeb99e32b9594708edd

SHA1
e05c9146aa4d0a3a041af1d66e9fd4636cde5799

SHA256
7c6d869e00b139964a433b1d37e7dadceaff95df38fa77b3749a94ff6bfff519

SHA512
c10e5c4a5ebd23ec4d2c828f98e12b733ea8fdff10f12e92129f812b39ebdc5cb79a67ac4f1e69ae50ab259aab4f2179cd60303a4008db71e448201b80494abd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
64KB

MD5
bf491fe0c7c75987329b84579fd2de34

SHA1
a34a2d3ad335df298621dba6f5055cca02fa4864

SHA256
9d39caa32fa4e692c6ff7678dd8dd0896e121819575c5042800c0697621bfdff

SHA512
83d28d93da79329c21289538cae41a4f3777220cc40bf0bdffafb03a27930aacd46f4a08de7d232211f0955c79a2d7d459a3298fb0977c35f346c480cdd71d8d

Download Submit
memory/3008-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3008-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing