add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39

General

Target

add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
Size

94KB
MD5

edeb313b58c9cd4a8fa161e62bc28ade
SHA1

8ff9fbb0aa467ad64594a85bf1221a3ec162a721
SHA256

add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39
SHA512

5eee5b6b149bf8319b72e2a34647a385a528429a54a29ce822886f006b7b5b6858da3695352040da43e8b954c802f8d1a7d20fdbd17138daf7148be06431f7e0
SSDEEP

1536:W7ZrpApojOPG0PGQJwFJwkpe+eTDPfFpsJOfFpsJCAdCjHKP761wewz8eg:6rWpcOPxPke+e3fFpsJOfFpsJbgEJRxg

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4843) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\el.pak.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe

C:\Users\Admin\AppData\Local\Temp\add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe
"C:\Users\Admin\AppData\Local\Temp\add1e9256baceaacffc453442012d9b8d852646013ecc6ef9007676e34868b39.exe"
1⤵
- Drops file in Program Files directory
PID:4636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2288054676-1871194608-3559553667-1000\desktop.ini.tmp
Filesize
95KB

MD5
9d009c87e1bd013e61734b5c11fd0ee7

SHA1
013e6ec220cdbc316e6e8d73c039e595aa389801

SHA256
c3779f6c3111fce982830b0ae807e94cce43f20f051c4343a0298d357ac0974b

SHA512
488e8aa8ab5c6d671cea27d78e1a86557de9f8ba5056f494f97cbf022b39468267fd58770234e46192b41ced011a77833a4614bdb14ac80d93356626628d560d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
193KB

MD5
dc0ea43b180a4ba1d5a60fcaf9116e97

SHA1
24bf83c25e79deb55dedf66130d3a3e93b1a6dd4

SHA256
592ad032e701adc79e37449d839cbe424881bcf4ea4fc59f8984a144a22ef271

SHA512
f9233ed2888d4b686fa679f70c73195ea85866c01432f5650da2cb3244d9c2728e858d805bc34417230d900f06c4189dfbfaa761a0c0de45a284d09e5c77f25e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads