b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04

General

Target

b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
Size

164KB
MD5

cec4f48eaeb7dfc1debbaf857a7ab207
SHA1

0af71c8014f2281d3812abf8127f1b7fad299839
SHA256

b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04
SHA512

2ef2ae715e9f5f39022101769d521271d3a48fb1355c9a96ced4c4f369a2ee967bfafc6c6ea43ae0a959424b561b3a57becc22233eb7d4617b430f3f3b687124
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q1pkMJ+ZGtK1+ZGtKQNMdTajOtGtU1wAIuZAIuJB7:KQSo1EZGtKgZGtK/PgtU1wAIuZAIuL

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4740) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4872-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4872-886-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4872-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4872-886-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\th.pak.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\lv.pak.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\110.0.5481.104.manifest.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe

C:\Users\Admin\AppData\Local\Temp\b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe
"C:\Users\Admin\AppData\Local\Temp\b157f0f826cdb9dcf64ee49f3032840cee7dca3606dfd0f5b21096307f1d7a04.exe"
1⤵
- Drops file in Program Files directory
PID:4872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.tmp
Filesize
164KB

MD5
5cf5eb7cecb451178cf1ca763d30ba7e

SHA1
bcf754f8944141e605eef98584a3ed35194d2f88

SHA256
de9bc22d2366376ec861c467a5028e69b17b8eff26b856919edb665e641e6136

SHA512
73e240025624bd3ecf85ce87e29763a9ab5f6b39aae108dc7b69815b09acc5f3989ec66638ee387f2a398d95629cd1b04b082e994a74233f054052ae9fa1541d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
263KB

MD5
54709ca3e3e9030edaf53a7d14620fbe

SHA1
64392690995f84b461dd98d50943f578e6b1bfb5

SHA256
f60bf09eec39b73e1b56be6ae14883d11d810cd382cb6640fd749708772cd2d7

SHA512
37daed04a467581fbd6bcebc37516e97b16333da83a616b1a5e1a4620ceec61766cd760881c7cc04d9e6c924151020f017b7618449b0f884730ef559ad8565bf

Download Submit
memory/4872-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4872-886-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads