be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c

General

Target

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
Size

60KB
MD5

8277b65d3e0c37d1c5857776a7d8f2c6
SHA1

0d4ef0603abfaf592a4bfc1385f3a5cb511ceea8
SHA256

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c
SHA512

9a006ee5d3ca1f534874cff906a6e45c147e4e062c52be40e628942f192cdae96dfff3a6c320cd5ed0338449c922aea197f056356f1b7b63d01515c50092a5fc
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15Rn:V7Zf/FAxTWoJJZENTBHfiP3zemtjF

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3399) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2020-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre7\bin\verify.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre7\bin\zip.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\libvlc.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.tmp	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe

C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe
"C:\Users\Admin\AppData\Local\Temp\be33194c4ee4586c536e9ab8d978021815eafdd36231dd4de1186bd3ec5bc85c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

Filesize
60KB

MD5
9d277dce971a88a08722aca20fa6d4e0

SHA1
25fb2507f2e4dfb8ed772849baaeeee61337a1d7

SHA256
951bcbc8a0d78b7d5622eb4a8ac27cf23dce0f333b823ad528639a77506f0b7d

SHA512
b1ebacd3607f9d8a41d255aed07dbaf6c4aaf30e33d2bcbbec423f45200c0756063e9c63a829f08a4051f3ecfed7fe26a6191f9be6d1e2137f14b273633e005e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
69KB

MD5
0b53bdcecab49576106d0d5fde00bc47

SHA1
3cc57fa358d0be87cc8a8181094c1b8abeb8f03f

SHA256
e7bf314256b02789275f0febf0b5425d942c446868d2cf3371579c49af65a89f

SHA512
796b3725db5cd0e7642f79e69862464b4c323efd23ddcb935829c3eb2fc5764a0be07b761a6a7eb436f4e430be0b1cde708572e81ea754d507fb52b931399451

Download Submit
memory/2020-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2020-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads