9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2

General

Target

9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
Size

109KB
MD5

aed57497d961973973568cb5d1fa4bda
SHA1

7303d31829c3dffd8b7f4f79e918b4aa90b7f974
SHA256

9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2
SHA512

7bc86936c9ada3ef87ed4416bd7ff1dc79b5ee22a2bc4f17ee9fe9bae82775402d9bc2cf28cfa071a24a4c0bd33d1ed8e8421ed9ee889d91f0aed5a7eda3fbb1
SSDEEP

3072:fny1tE2tEtyKoIWbsHfySkT5GeCyi348oWGRPOzkjId6q8UdrSD+kCoIfL2YwqA0:KbEeEz

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3436) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2300-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2300-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Mozilla Firefox\application.ini.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\DebugUninstall.m3u.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
File created	C:\Program Files\Java\jre7\bin\msvcr100.dll.tmp	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe

C:\Users\Admin\AppData\Local\Temp\9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe
"C:\Users\Admin\AppData\Local\Temp\9a08c60d5b03354210dc479f26500dd067d6f7182009e02504cf8f065c30aed2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
109KB

MD5
854cd1e625f404cb9444d5d6d298c6dd

SHA1
064d8cc37d9583dfde54c70ed4380aa0240a1ebf

SHA256
ab9b48af9f62d00f2c5fc0c36f169eca2f5578f9684737d5d8cbbc459501d110

SHA512
9dceec7e44bd5a08252b0a2401b3bc9f90d81253003e06b4bdbdb451acfe7c817cedde70fa85a1c368d4a613c9a615a6842ea446ef7921f401b383578dba917a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
118KB

MD5
56a776478e134a2554338f11daeb43b9

SHA1
0d68ca3ea5b38824579d3520ce4963e09a7cabac

SHA256
aa68a06098945586e30453b4aeeaada254efb7df1f209c55b4d4f4e29879a367

SHA512
8c05fa61dcbb656231019a77dd124bfb91f0db6039063a6de9072b51bf10a9e9b16bbad36c388fc808b5cee105aded9a88aeec93fec880ddfcb800b6f631158c

Download Submit
memory/2300-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2300-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads