420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede

General

Target

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
Size

58KB
MD5

1b279bb71618661f62f5623fe1ffd8a0
SHA1

9c7626bd5f2c6270fde7f4c9f64960174527641a
SHA256

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede
SHA512

9b842d77f73691d63adcb5cb62f0ff0f75c7b0474af78421a76b18f885095502325f1cc52cee53f3a3c9e350f296a1909598f108b91a37dfb56298b570315403
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFaz:CTWn1++PJHJXA/OsIZfzc3/Q8asUs0

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/468-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	upx
C:\libsmartscreen.dll.tmp	upx
behavioral2/memory/468-304-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.CoreLib.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\wpfgfx_cor3.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Extensions.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\DirectWriteForwarder.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\WindowsFormsIntegration.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationUI.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\WindowsFormsIntegration.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\WindowsFormsIntegration.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlDocument.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clrgc.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Primitives.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processthreads-l1-1-0.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.Win32.Registry.AccessControl.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemXml.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.TraceSource.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tracing.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Dataflow.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.Common.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-localization-l1-2-0.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.RegularExpressions.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.IO.Packaging.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-memory-l1-1-0.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.Primitives.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.DataContractSerialization.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Primitives.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Registry.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.Watcher.dll.tmp	420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe

C:\Users\Admin\AppData\Local\Temp\420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe
"C:\Users\Admin\AppData\Local\Temp\420e0811e89a6fb36f829cd68ec9d44fb5e2ff8b2a5c0970cf0f94db88411ede.exe"
1⤵
- Drops file in Program Files directory
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp
Filesize
58KB

MD5
d66422496aa41627b1181d5138f1c2f2

SHA1
b80bbdd2b005b9f2ea9ee2cbf54aa05124f01b93

SHA256
0268bd275f023c87d9eea24d846345f403d84f79b454e49f5eb5b05040a1ded8

SHA512
ba024374fbb9d2d9b38df6e72e705f68230ea0782a852e60e1888fb29da4eae436c7eac0f3797659810999a2a8ca164f0b95764991cd11d2d2a25bb8ad465f51

Download Submit
C:\libsmartscreen.dll.tmp
Filesize
58KB

MD5
62f120b9369d99cdbb8a34d782d067ea

SHA1
d3aff30d3e31033a4dc23efe8b3b5aecfdab87dd

SHA256
e3508462d40b4086bb129c6612f4b7174f3fdf494e8bb3bb5764f5e13adc84e1

SHA512
7afc8b4a469857c290a314d167560e85ec05e1977909351e7184fb359bb36cd45fc17bc522338a02756715319caf870a241d3bf20e0669a20806b253caf5270d

Download Submit
memory/468-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/468-304-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing