4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555

General

Target

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
Size

64KB
MD5

90a2a7b57235e700ba43c66a385abd6b
SHA1

b67759e4dec5af1f42aa3a548948a759f71b3833
SHA256

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555
SHA512

418a022a8819e0c9ceaa1bd339c325175953c6e05dbb48ef02bd45f89393e9c08362cd3c5d48ffc75af75034007baadd1a33aba057c632639e6ffb6148aa334f
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFufGWQML:67Zf/FAxTWY1++PJHJXA/OsIZI

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2128-1832-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2128-1832-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-REGULAR.TTF.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WebView2Loader.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Resources.pri.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe

C:\Users\Admin\AppData\Local\Temp\4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe
"C:\Users\Admin\AppData\Local\Temp\4bd6c6c252d2358f46f1a54af4b56cf943ba0690546c2c68a7a35b68de514555.exe"
1⤵
- Drops file in Program Files directory
PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
64KB

MD5
eb7ca6389d5aa35fc6002862df5716f9

SHA1
a11b1eeb74a30e11fd7fc95be68fec273271b127

SHA256
50cbbcc2d8cbd8c12d5b64bcbe3d7c2968f0da14cb6fe8b6429d629fb5513541

SHA512
fa1f5576b84e20e7420ab23753547942c2902b1e2e817d0853cba5c4153465efaa6a444d847bd2cf178cd01606eee4ee777f0283d49ee35008175816ed8f35cc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
163KB

MD5
77c19858322227d1ca5bbc48bcd41994

SHA1
d58cb55dcedc82f587bbf4989b7c6adfd4901d7d

SHA256
937feb93476cee82203aa1b53c2536f628fe555e1effb7f9b6e22ba4255282cd

SHA512
20685cd2bf556e8effc5d24fb425f86cd701328c1f572ef61d129206504121bbe7aa287f93d651a776e6fb28713b69486822aadd27e7b3fc413d19055e68a787

Download Submit
memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2128-1832-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads