797fcde04b7727c458c2b051449b8c1583385d113e3d05de3d06af1c3c98a9cb

General

Target

98b59a3f11b44be0564784f665cd1280N.exe
Size

127KB
MD5

98b59a3f11b44be0564784f665cd1280
SHA1

a9ae94ac38e8796ecc1925a302007544cd7f4832
SHA256

797fcde04b7727c458c2b051449b8c1583385d113e3d05de3d06af1c3c98a9cb
SHA512

c725a4a83562ad24e0f9b6dded9ca816a7aecdfdeee6f60fce1d6166ea517122281e7c8750c1ae0c82dc4e934579bcf3fdefa7a73b7c11b878488ec33a4bbffe
SSDEEP

1536:V7Zf/FAxTWoJJXV6C6tfeMW1iMzArE/TidjhyKieiO:fny1bstfeMQiMzArE7idjhyKieiO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (235) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1916-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/1916-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

98b59a3f11b44be0564784f665cd1280N.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	98b59a3f11b44be0564784f665cd1280N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp	98b59a3f11b44be0564784f665cd1280N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

98b59a3f11b44be0564784f665cd1280N.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98b59a3f11b44be0564784f665cd1280N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98b59a3f11b44be0564784f665cd1280N.exe

C:\Users\Admin\AppData\Local\Temp\98b59a3f11b44be0564784f665cd1280N.exe
"C:\Users\Admin\AppData\Local\Temp\98b59a3f11b44be0564784f665cd1280N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
127KB

MD5
4a7a90d8f8992f90313c7723c000946c

SHA1
497367aef0c9496f913a8acc4ba5966c29964004

SHA256
60322c3dad7d577f4b5b56e1d7990b50dead108fa488d114c14022ef655a03ee

SHA512
335da4303a19d068a48e801b7c3dd8631c0d99e67066a75757284f5bd29beabe600fde56c0f6adf4b854ff38d4fa463bb96f70a451ba0990b8d2d36445970d12

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
136KB

MD5
37eea32b732d2e57b2664ff5a3195bc6

SHA1
38b84f62a6bb3e4bf24a921bc65b17dcf6f658c8

SHA256
7ec77db2dbfe3999b58e13bb93e4ee6879e548d131c8f846f184eaa9ed188df2

SHA512
6e00b8660fc0e7e96849e545a9d37ceb7f1892a34fb8561bef15a0f08896d318c8a49d58927cc45db5336bf3431471b4ecfc0a47797ae1d9e39eb30ecc066c7f

Download Submit
memory/1916-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1916-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing