7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393

General

Target

7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
Size

41KB
MD5

3997356a7e1e14c0641edac9d73f7ad5
SHA1

348f477c9142bb6a0091edf1b4ffbaa0d12f05cc
SHA256

7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393
SHA512

1bc72dd80d0859ce553b4862ef3bbf03d65ae23927fb96989e8df91d1c9468881f90e7a43df6753e97f7b6481f25a508a0dca32a0ccab0fd81f861fff3917cd7
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFw7:CTWn1++PJHJXA/OsIZfzc3/Q8O

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5259) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\LICENSE.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\id.pak.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe

C:\Users\Admin\AppData\Local\Temp\7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe
"C:\Users\Admin\AppData\Local\Temp\7c4bf5f1ed308b763a658fcde0eaf4c0a840cc25ec88c2427276afc44e23e393.exe"
1⤵
- Drops file in Program Files directory
PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp
Filesize
41KB

MD5
420c3a916624e3c4fcf8e607bcc2ef43

SHA1
57472009214ea1df6e859cccb136e559d60df62c

SHA256
915fb65189aace8963ac6434445ee9bbdecc60d27cd0dd7682aafd237966f223

SHA512
5976906860aa3e7a80d7ea5160f11d0ef5408280c63c44c264a8276f36a10086fb5ddbf23513d7a52bb18a8c53dd609b7e251952e21bf6bcc6c407f1aba950a6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
140KB

MD5
9b539d7c28ca8160907fae0754a20379

SHA1
4e787890fa6294cac4e243b9a88650c25a78d209

SHA256
92a1412e2f1bd25e61ea406662e32af821205956cb510b7485a238727c7b49ec

SHA512
2907eaf724708b0647cb8e67016030b7fd74c1480755c07eefa96bd29ad0ebe4ea0fc18b6b347d2262bbacf2ad044ea0887145a0582d01e6e95e428aca2e2173

Download Submit
memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads