ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594

General

Target

ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
Size

45KB
MD5

6e095eb64cff162a1349ec8b1c10c833
SHA1

fd9aa46c3facdb7ffbd64abc70f90084138896ed
SHA256

ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594
SHA512

9c2d8f29005d3e3202eea3b50f6868082c9c37f66975a68bd015ab7f01f3d79e1a4561d3b2f6787a57d0c3e67af86b8251fda624b54879adda8a4d25704c6cc7
SSDEEP

768:W7BlpNLpARFbhblkYlkuvIYFhEwHQSu9EwHQSuy:W7ZNLpApCZuvIYsgVgn

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5078) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\nacl_irt_x86_64.nexe.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_100_percent.pak.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe

C:\Users\Admin\AppData\Local\Temp\ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe
"C:\Users\Admin\AppData\Local\Temp\ec63591a1a1aeb34a2f6d0e80be8d9715280e753611e14416cd056b9a6bcb594.exe"
1⤵
- Drops file in Program Files directory
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp
Filesize
45KB

MD5
8d90536613d7414075d662526a217e3c

SHA1
b01de2b4659dc0be67b11923b96291a66eed73f3

SHA256
0be0d48b43d9ad0395b6c2f1276348dee5ff8f8cedb1260b96d0fd88eb618aab

SHA512
7f0e6b92ebae73fb0ec1e20ed7de696b43d66ffbf4696c6e41a4ea772cd1be30f9bf551d104672345ec547ad8e273e63dbe70a99e31e624142fd6beb11358909

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
144KB

MD5
b5d325894d898f88acc2b697616632cd

SHA1
2b83fdb9769b4b35b15b946d1111c265c138cbe4

SHA256
f4ef9166f2d79d35045ed8011a80a59080faabf5475efa907abf14b76aa508eb

SHA512
ed92b0bfd97ae6ca45197c5360c57222a90df4231616cdf5a4f5383fc488d8a694ab2cde1e0b5f99dd15bc67886e49cdc2106cb04c6e21e20a74dd63c3adf955

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads