edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8

General

Target

edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
Size

80KB
MD5

59395313dd3d5e306907f5014f61f7bd
SHA1

86dab9ec8e0e8db7c48b12f612a63687770bc156
SHA256

edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8
SHA512

45deeb42f5fa8abfcd8989aa814a9fcffb7146a7c64e064ac29a2d5482f4e9d7a7f9a3fecaebbeecaaab4037b33eb2761afa6888ad9939fa20878875d124e613
SSDEEP

768:a7BlpyqaFAK65euBT37CPKKDm7UEXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2W:a7ZyqaFAxTW8iVRRNRR3EBbAjEkjEE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2380-26-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe

C:\Users\Admin\AppData\Local\Temp\edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe
"C:\Users\Admin\AppData\Local\Temp\edb8018bf47fd8aa3bb8c7067dcf2f5e0ec2c585e6f3054b7218a8036278f5a8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

Filesize
80KB

MD5
adb3f24452c4913eb56a24051b76271d

SHA1
5ab80797b508c940f91fe2dd3b756b5a9ccb1c5f

SHA256
c830ccee6da4157dd15500b14263916fe357d1c0e46593440a2ab14d2ca2c902

SHA512
2510facf3c91e6123966bae7351be9e765fd9f17ffa1fc54358f04c925740e3cb7b6b7f947d863df42fb1d57042fda079197f09581d2ff5f0f86df76e0aa3f3c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
89KB

MD5
3c344ab8aceabaf0bfd3ae3a55d6b191

SHA1
a820fce87457fd788c85ef145beea3eae8758920

SHA256
6e30832fbb2e33842a88da9c51accb23af30846e039fbeb738b83365b4e06556

SHA512
8234f7d7ae23da3165b6dfe5c41b5d6f20d7fed34c06ccae9b99c04c5ba298b35d76e624caef2cba9d51b1f3fa1698c59da8b8b75d03b36ee229a8b85a892038

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads