74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551

General

Target

74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
Size

163KB
MD5

17bf9acc149e57816b1f9e2ea01db975
SHA1

3c8fbbe114e82e7f4899f416ba489fd6aef4e5df
SHA256

74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551
SHA512

cd8e225364144219b1eeab8c0d9bf479fdec8e046fd4a36493b592ba34ba6a4f9a4b5664cfcc85a3e9018e2e222ad63e6dd8eede5bd954e58cad1899a0ebfe82
SSDEEP

3072:+nyiQSo+xFiQSnJOIYTXof60qoYKQJdRXOiaXt5iVgmz:JiQSo2Vtof6zRjdpOL95y

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4779) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4228-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4228-1746-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4228-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4228-1746-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe

C:\Users\Admin\AppData\Local\Temp\74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe
"C:\Users\Admin\AppData\Local\Temp\74cb0d4e1d03a4b67f75e0a3bfa1170b18d425d5e30570d348dcbd38f1ca8551.exe"
1⤵
- Drops file in Program Files directory
PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

Filesize
164KB

MD5
e9f4cd5237af1469c304027ef9c97550

SHA1
d2e78b16d972f9d8a662fdb3d318e1465b3d0522

SHA256
74fa12db792654e8b038e101cc65b99479ea1ce3d0909cb4ee1739c3f5846d47

SHA512
462ec0ecb0060b8fdc2503e8d1f4a75ecd752a77bcf272b3dfcced40d01c2189e02d78e83294cfc6dcddf93d992cc953cb4634d71c95d74b925d5a5738240a78

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
263KB

MD5
aca17139c461ef34fa0586298a8a0f10

SHA1
9629e3f0fadf2f83438010932b612313743b35f8

SHA256
acf0b7c99bdfe15de7047970e45ec582ba5426de3bac2e74a2f7b329fd99718f

SHA512
775b90253a7146385c40e2c86a58f77c5449061ea2747801dc5a9e419ad7b665c3206493ef34d2609e8084a9536d832584129fbcc0763d9709d859066a88dd8c

Download Submit
memory/4228-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4228-1746-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads