381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93

General

Target

381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
Size

84KB
MD5

0821e0b0e9a904d7733f5a3ac314e460
SHA1

34a7ce58fda01653dd276bc6a064f536c68fc58f
SHA256

381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93
SHA512

ba82367a4b638491cbaeb447e7aa2444c727c9ccca77b763b7e148f86e7fb6cc4d03d3ece0950ac1689b981ac14118b22d3a6c58967a2991d80008c7e90e5717
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eJG/x/0VXac:6e7WpMaxeb0CYJ97lEYNR73e+eKZ0VXp

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\libGLESv2.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fi.pak.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe

C:\Users\Admin\AppData\Local\Temp\381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe
"C:\Users\Admin\AppData\Local\Temp\381069f3229ecb5130bf78c35174bdafab76b7132e6465079690e47903772c93.exe"
1⤵
- Drops file in Program Files directory
PID:996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
84KB

MD5
b2d8309b3bef6bd8b676cbdc72f58720

SHA1
af0c42001679703b987665ce26f7e208a5fa9bea

SHA256
ace0a23e15bab0364366a1bbcb1dee0cc900675ecabdc48d354505d1c48c050a

SHA512
bd9818fe1ab3aef9588a43669a03900658a0ec492f810f7007fc3a31bc6aafd59b78bde0de2cf4fe8131c5e588fad9f2ef2f3e2248000017516c04292b45d259

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
183KB

MD5
1f1da81150dfff16aed3f15e78eb58fa

SHA1
229e0144bd9adb4e17e0567fac9b586d7b2c1171

SHA256
802b84fc3996df5ba6b1e51dee39cf28129d70e92065664fcaf2bb2ccda06f82

SHA512
fe786bd8828aee62c31e0898a427058a7755239210d9e1790b5f263163c9c3fde4feefd240d75cc6497f8a06027f21807da5d2c0e6e9d1a30b1f02d5f6fd2ad5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads