ef1b9aa243fe67f96a64f50929f24888bdf767cbf5ca7d8fa82bdf4febfece16

General

Target

dd84809c765f876404d5aa34853847dc.exe
Size

124KB
MD5

dd84809c765f876404d5aa34853847dc
SHA1

9c945c5ab506e66ef99a2399a322f71ef123658e
SHA256

ef1b9aa243fe67f96a64f50929f24888bdf767cbf5ca7d8fa82bdf4febfece16
SHA512

fbae94b7f9168cf12ab2735a151b4521e409c3be80448fccb0c4affb6437d189b574b08fc78ca70c7c323f8c1de6b28408a28f1364ef12c91913a79026295a67
SSDEEP

768:/7BlpQpARFbh2UM/zX1vqX1v+1WbW1rjrA9ZONZOD5ZTXpFWJB:/7ZQpApUsKiX2

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4761) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

dd84809c765f876404d5aa34853847dc.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\LogoCanary.png.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	dd84809c765f876404d5aa34853847dc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	dd84809c765f876404d5aa34853847dc.exe

C:\Users\Admin\AppData\Local\Temp\dd84809c765f876404d5aa34853847dc.exe
"C:\Users\Admin\AppData\Local\Temp\dd84809c765f876404d5aa34853847dc.exe"
1⤵
- Drops file in Program Files directory
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.tmp

Filesize
125KB

MD5
60722b39eaa9bcffe9dad0924efde281

SHA1
356f74a0f47288bb2beeb439e570ce924a069657

SHA256
b350d7bcd6e01a825b55f407836c990e180d6376e3c5eeb37d329e784075fd6b

SHA512
358d04f32a29bb81ae7e522058e283b3fd3076dd5f5d46f6f677cc88a9f10131b9a92d57571225a2811ca48c042d9da3aad793de0bb60b47fca900bc4587be2e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
223KB

MD5
e6822d9f3f37e973966e12726e667fce

SHA1
ed70769247f209ad09ace096b7b4ea4d30450292

SHA256
a38974487f758af0e81985c9946de5aac0abf5398924d0a547ca219161c5dbc3

SHA512
1c03c7373cc10ec0f59ff10b2e107649d38c399d15d83343f71698d1c7ed4932a919411e58899ac6e038d5ce12c1a0b7aca7535fc2d1a6941293b39bc2dfae54

Download Submit
memory/1356-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1356-1734-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads