adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04

General

Target

adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
Size

191KB
MD5

0aa8e42be65c1770d38bf7ae327f9629
SHA1

06e9e8b6458f4df592da23587e16acad51572d5c
SHA256

adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04
SHA512

6c23f28715acd9f7dd534313c456dbef58c17b1cf9891dbc069621a9e42a263361e9f49cd31f9ca511230589a0630e75989c1cba59a376f2b4e736c5dc2a29fa
SSDEEP

3072:+nyiQSo1EZGtKgZGtK/PgtU1wAIuZAIu/:JiQSo1EZGtKgZGtK/CAIuZAIu/

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4718) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2520-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-355664440-2199602304-1223909400-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2520-1722-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2520-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-355664440-2199602304-1223909400-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2520-1722-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bg.pak.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe

C:\Users\Admin\AppData\Local\Temp\adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe
"C:\Users\Admin\AppData\Local\Temp\adba313f1b1a6dc56be8bb261371ef808a26472d020f300dabac2eef32742b04.exe"
1⤵
- Drops file in Program Files directory
PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355664440-2199602304-1223909400-1000\desktop.ini.tmp
Filesize
191KB

MD5
98498239dfe1f96f5047f4b435cdee31

SHA1
7d7d090a333c729da734626bb6f89cddca319323

SHA256
47e552f15ee34b35d60e71fbec4ceca2003dd988c3fe02b068e6a8c9ef042937

SHA512
ae4b6af1b099f4ab677a35cec863396b4c97b72e32dac838ea57f5fa2ac22cd8e0dfb07c6b702c9f696dcc2df77aaa952a0a1e8358efc3766093612f179e01fe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
290KB

MD5
d397ab7791c6e706bf01cf2abeb3e643

SHA1
4fa93316a564987ca56f21699c768e142254bb56

SHA256
b503465474a3c474b1ccbb29063e5be01bfeb7956e715a4e6331b631a8d334ae

SHA512
4e9674f2d29537ff552ad61c282950d020469bad84e6afb8026dff8d00080a78f791cd4028dcb8e32e8db1ed8c12d0010196c3b9ed119b65b971c2e7dafa6e3d

Download Submit
memory/2520-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2520-1722-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads