0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1

General

Target

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
Size

101KB
MD5

74a835c12cfe49dff9b0c227a07636b0
SHA1

7d4389b48dde48f039ee715c2f1c69690d4208c2
SHA256

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1
SHA512

68e1d709109ee646e9ef8db0c85fd7817d4dd0634fa72df74bb781d43fd420366950e2ba4541fcf00f0518849921707bde56271b719e81aeff9fdd44ff8f6de8
SSDEEP

1536:V7Zf/FAxTWoJJZENTBHfiPRdgTW7JJZENTBHfiPRd2:fny1tEwtEt

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5004-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/5004-658-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe

C:\Users\Admin\AppData\Local\Temp\0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe
"C:\Users\Admin\AppData\Local\Temp\0bacc2578103ce05f697eba4ba9d168924ac80172cf0bd2ff36d91f834f36fc1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

Filesize
102KB

MD5
e53e5febe0e3810329c6c75eb91a19ee

SHA1
a1a0d2d85b7581980be8b4ee9bd27c28e2d598d7

SHA256
c664f58ffb044e687d5e1009b855d95caa7f7254d037666443ee2ebc804f5abf

SHA512
2aa350bde6bff19d65cf8aac0a3238e73753d2b4539836126e5084fd013e82a1acffba84e45c76bcd6110e0146569e73b82a2e5c3cc72b4908072aa821363838

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
200KB

MD5
07f7f61685da9d1a820d857f288409fd

SHA1
b755cf61c69c1076401d3ad11a8984f1a0a6a4cf

SHA256
4d427859e17b6807214343ed05adc825526930cded71c94b88c48e560dccabb4

SHA512
d808857fc443d57c2436369a5d6040bc2fbef2ce3f200637fcab2ad96905128fe99fcf47e132212dbdf689c96ffd9ce1cdaa4be7467f32b01e02f4f4afc6530a

Download Submit
memory/5004-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5004-658-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads