4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52

General

Target

4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
Size

65KB
MD5

56ce46f9869e0c331498e3cfa95ddbe4
SHA1

d2a53623ffcb434f2ce7a4ba42e488e9d39a0308
SHA256

4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52
SHA512

b719d58d9f3ebfbd9ca0076da018390a1d0c5aea14c5461bfb472a30aa9193562b97af13a2593a2dc9bf5dbb83115c1ee2e6420c19e55bec85fe69611076ab66
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9l2pqpK7o1LDdaNSf9Rio:V7Zf/FAxTWoJJ7TgwvLD

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2856-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Christmas.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\ExitAdd.DVR-MS.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Java\jdk1.7.0_80\release.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe

C:\Users\Admin\AppData\Local\Temp\4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe
"C:\Users\Admin\AppData\Local\Temp\4d27ed2d8136c33e97a5dd83cf08a2ea82d72420a41009681f472721b3f5bf52.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
66KB

MD5
cdb72159409367200933a85eb233b301

SHA1
6e1d3532d2323492a31ee94df054219428eb8df5

SHA256
2920ffdb72d1d854bdc380ea50287b0a4d8556d98fb26b78e5e99a061b89b16d

SHA512
a7b12203fea92d494ba5aedd9b2877e974aa82f1d627ef427aee65daa017082e5883de0ebdbca3f5912b6ebeb54a378fc3cc0f7936e25f04484b64801a4afa36

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
75KB

MD5
ec4cfd2b87a7acf1df71f0e8c4ba1fa9

SHA1
e461c062527ea1ce14fe984b7a88cc35b183542f

SHA256
cf79882e9cb70ec2321c13d9f7a7cb7b02ffb961e863420d9f934141bf33db9d

SHA512
0abc773a8e8784cf6bf534880dc924312447c225f6bb850f308d04b2c7897385999f3eac29df18ba5afe241fd61582886b05a26545e0052c324115e173b58c30

Download Submit
memory/2856-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2856-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads