bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593

General

Target

bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
Size

627KB
MD5

a8a22d60459533546a3a39fcb748350d
SHA1

efc376bb5b42051e3576d87f6092c3c247a1a7f3
SHA256

bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593
SHA512

775e27afaa8d36020aa5690787c982f8a6a17488d877266861ae9aec4dcce1e22bd8fc0f3cc9f7258364114036ea43dae69709d5cfac1ee4e628e02e3ab017a9
SSDEEP

12288:7AIuZAIuOAbh9txT3kTa1YXEylrepuyhTAmiZX2r1/Oy/SIEa61jhFqQ:I8TYa1KutFAmiZX8/PqIEpjhMQ

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2704-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2704-1224-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2704-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2704-1224-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pl.pak.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ro.pak.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fil.pak.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe

C:\Users\Admin\AppData\Local\Temp\bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe
"C:\Users\Admin\AppData\Local\Temp\bb41e7bfa198367df46be3afa7de9d5e199cc7da7144a8b0533a33c61bec8593.exe"
1⤵
- Drops file in Program Files directory
PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini.tmp
Filesize
627KB

MD5
02d4b4c784b437326e6c2d31c35fd833

SHA1
779e5a63fcc869ba7be9fb9bb73e6f2066d85daa

SHA256
6037049885b11824053402216aa90a168dcc17c15fcb9544e3a4b51e8ff75641

SHA512
eafc3a26bcd3dea9b1e15d53b4431d4c0553750da2630ba1727327ce3edc83a6f4adf70b877f3c3728528a3cc582755adcd20e2f60ccbdc57c2ea72ea9b7f8af

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
726KB

MD5
60d24c9cf7eaa84d1cb2318c69dea422

SHA1
7c6fe153e676cf58aea44fbfed40b859be02aac7

SHA256
46e926180708cbc083d87249680263df4a809fa29e71ae4caf42c78e0f0d102c

SHA512
57f303474ed014a506dc0a57bc524216f8b6bbcf92e0371868409684bfea96cf75d76012588b5bb0f5081fc0c3c8366680661006e12fb73a78eca7f175bc14f3

Download Submit
memory/2704-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2704-1224-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads