0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1

General

Target

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
Size

101KB
MD5

74a835c12cfe49dff9b0c227a07636b0
SHA1

7d4389b48dde48f039ee715c2f1c69690d4208c2
SHA256

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1
SHA512

68e1d709109ee646e9ef8db0c85fd7817d4dd0634fa72df74bb781d43fd420366950e2ba4541fcf00f0518849921707bde56271b719e81aeff9fdd44ff8f6de8
SSDEEP

1536:V7Zf/FAxTWoJJZENTBHfiPRdgTW7JJZENTBHfiPRd2:fny1tEwtEt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2852) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/880-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/880-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Internet Explorer\iedvtool.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Halifax.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

C:\Users\Admin\AppData\Local\Temp\0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
"C:\Users\Admin\AppData\Local\Temp\0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
102KB

MD5
be836e407fb22e8eae894a2f633590e1

SHA1
3c0dd5853c5a1d79a78e49912856f6dfaddac1b2

SHA256
87fd10296faf57c0cd089918c20d6519e9526301780ad89d5d4bf7887120d9e9

SHA512
5f1a1403615d64fdb74e1bb59dca8680c84e93c9bf2f4b36ada2c55c9d5164c05942516ac134142eff8523beeb5b7c6831cbe9a6a4ad6daee28617dc2205d812

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
110KB

MD5
1b8025e0fc4dc2bfee63894ff12aa9c8

SHA1
32c6fbaa15d4df723bc4005c20df589ca3fccf8c

SHA256
ee183f812a85960abb44c7832000bcbb98f0219f67cb582ffccf2f8915f15c64

SHA512
dcb94e2176a6e50665103576e3ddc5bc10ba1f87a798eaac3ba5c4894ab3cfac635f0083af9b94168332117de93b4ccc16fc64107634764979b3226cdc1df4ad

Download Submit
memory/880-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/880-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads