60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab

General

Target

60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
Size

160KB
MD5

972826c0d25c16a9070043766d36d15e
SHA1

9c5b907682d21d2606594a3f93227c528d3d7c82
SHA256

60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab
SHA512

d1ccffce68fe8764b3dbec18a9f786cb3338ba6dd5947feaca33beb64b41ef94c2ea42260d97eeb361b166387d8c9d7fc3fc372ddc556c47ba498354784b247d
SSDEEP

3072:KQSo1EZGtKgZGtK/PgtU1wAIuZAIuXwFwtd4:KQSo1EZGtKgZGtK/CAIuZAIuI

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4728) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4672-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4672-892-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4672-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4672-892-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\manifest.json.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe

C:\Users\Admin\AppData\Local\Temp\60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe
"C:\Users\Admin\AppData\Local\Temp\60c4a2716597a4e30a60024d78bfb48b842381d709d905a5ff269cbeed3733ab.exe"
1⤵
- Drops file in Program Files directory
PID:4672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\desktop.ini.tmp
Filesize
160KB

MD5
25caf76882b6ae05051edec9dbec5ee6

SHA1
a5cc0323a0edab0cbad4daf8bfdf7f8442ae3925

SHA256
2cdc98d0982030445a95f7a4f7dc3fa896ff176b44e71288000aef63b70c2cc1

SHA512
240ba0ae9a9bae231a38f9f1f073e04303f76c86ee8a4d4127d3ef78f67d3586e784c46803a1aef24ffdb7869c6f8117c35cb493af6e70e9127ce9c0841bb9d5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
259KB

MD5
24f5ca3014f82b086fdb936781067fcd

SHA1
e57636ae00bff5758a61aec42774e67b8f699ffd

SHA256
ce2f1bc51eae31d47c59b4a2cd1b420c806e34c4181e5a17053bd7d2bfd2054d

SHA512
8a73b1492c2e09d060dfa859c6b84f01cf490d074451e74330dcf0d5e8658b5c668bcc057006cc3b858ddecbe2314576b8581ca08dbb72269130e0135a046dfa

Download Submit
memory/4672-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4672-892-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads