6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357

General

Target

6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
Size

63KB
MD5

851af2515c3ad972639f5dbab50a410f
SHA1

e2d24a6f0536b8f70a89f41f0f6a080bdea1053f
SHA256

6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357
SHA512

56a6f5a0ba4d10be143f869c28ff0bf41fc12371f1c8a955c79936e90f4d9ba8cd8fc8feaef3a62c492d6f10a3113ec91f9c8beaebc86301ee2468a31d18a0d8
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8E:+nyiQSob

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5242) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2356-1962-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2356-1962-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe

C:\Users\Admin\AppData\Local\Temp\6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe
"C:\Users\Admin\AppData\Local\Temp\6f665708ed745a0e1636c486d396d8afa4cb0ad5f30c5d7b454b2f9b3ff13357.exe"
1⤵
- Drops file in Program Files directory
PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
63KB

MD5
524a9d45be8ba2ca7d54a96834931748

SHA1
347ec5deec3b7df886fb1800026f9c39ac418712

SHA256
9b1a9ed1599a4c1e25f7a2cda912b8a0e1073248844be55ab4cc08679ef5e596

SHA512
6b5da41caa3946736a2b13564aa7f2204306d4784cc5bc225dea7ab6cb2c8a4705a25cd0aa6b284cad6a20f0bfe068ee76e457e5c95af59cbb6cee29a3c44ec4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
162KB

MD5
33d20dc19fa2857cc89ae34c5fba280e

SHA1
dacc4a3e7be393db325e9292d7ae39264e50c2bc

SHA256
93e6196c002b52c846f9719d0f220da6f6a1710cd7bd8fb2935cdb9c9e51bf08

SHA512
940c74b8177f64d6ed7f7ca80b6466844a9604b6de6d7634d21100d4b9be9e085cc3a2579d44f77a6ec499775988473d53deaa1006fe4901535c9e30108de100

Download Submit
memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-1962-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads