e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0

General

Target

e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
Size

59KB
MD5

994b1cdeb29e449788b8ed4922a3d821
SHA1

b95d57ef68196ca73fea9b6341177f8808807891
SHA256

e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0
SHA512

e9f573fe7459184f25e4c060aefa54669704d38a368741ea33044cc52268a5bdfe6857d17c7e4f4666321e8de1ad194d6b6628343f59bd03d6236d4de17e6d1a
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15Rd:V7Zf/FAxTWoJJZENTBHfiP3zemA6H

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1268-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/1268-64-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Internet Explorer\F12.dll.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Windows Journal\ja-JP\PDIALOG.exe.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ShvlRes.dll.mui.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe

C:\Users\Admin\AppData\Local\Temp\e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe
"C:\Users\Admin\AppData\Local\Temp\e14c498dd7f8708b5c15f54535c416223e9f09fed68de6dcda8aa081581084c0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

Filesize
60KB

MD5
f8820fe5aae0c09759cea6e734d18d1d

SHA1
91b3383663546cbb57b8329db6a03c18700de09e

SHA256
d0e9bc0d6e1c266bd67cc3c5a857f0423056c18ecd453c4b4979abefc6fa5afc

SHA512
340e17fe97e1ea8d00df6430230e199ef8dada96c300940de9266839bd75978804a68f0c1c7f75080694cf6f71504211f45ecefa8e7cd5504eea958b840b880b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
68KB

MD5
c6f06cd3573ead39d591b79335961062

SHA1
1d627034b0188e4cdda7e90be1eea5dabb276747

SHA256
4d7dce0808c9f85f2b446165c433513095b9506a3c09f217e22def238bde8f32

SHA512
439338e3f7e354e7293e55d9c91bd4a27e1ac514a2263d0d73e478a7fbac0d5131db1bd98173232a2f6ff6e799ab90a5b85fad9e389a5a0c7e97615c9db5a04c

Download Submit
memory/1268-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1268-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads