f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d

General

Target

f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
Size

156KB
MD5

1b034aeeaadfd620be1ef0767d553c20
SHA1

46bd42345ebeab4178c7d4dee17943b5d9161b88
SHA256

f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d
SHA512

d7971352ce65c71d4698f6c05754471a47841592786cdead31d3b406255f99de322b412b01e96991808b32216d860c0aba9be3b45dd9b0d7ffd0985eeb50d436
SSDEEP

1536:/7ZQpApUsKiXBvzwvzXJvlwJvlH9/GTyH4xqN:9QWpngTJdwJdxtN

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4837) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe

C:\Users\Admin\AppData\Local\Temp\f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe
"C:\Users\Admin\AppData\Local\Temp\f21f935e92c183b382b829494a21c59043646499c7f66d01b761565802a25e3d.exe"
1⤵
- Drops file in Program Files directory
PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.tmp
Filesize
156KB

MD5
148b38d167325c9cada9115f1259dc1a

SHA1
f3672fe2e046816f8096873bab0c4d0fe700c98a

SHA256
523f06d0718239ebaf953bc6b502ea3e23263170f0114a42c71a0b8724bcda7e

SHA512
3c4f021f2324c5517a933e225866928f8aa95be9173fd9d6b74af4cea5a4f72cdc50dc028662d3e3a5aea4c61529d85ef552fdc31904912821517d9659ccd3d3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe
Filesize
255KB

MD5
2cfdea9bbdad1b94371a9042a5618342

SHA1
e6d510da49082fccb88580911346aaeec87d8acb

SHA256
d8bd1184203da2d27b2b159ab0c40849ab2fe31a3ed52f4edc5ab651dfb22897

SHA512
381c736c2adfce482170f7c3105190d5544719a1a7dddf52f3258eb4390295c660b20bffde852a978eed117080d90a0600a627048ed57bd09b930ecf9a9efcac

Download Submit
memory/2312-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2312-1742-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads