7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5

General

Target

7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
Size

74KB
MD5

36b3c238e42a23880057dce3935bc9d9
SHA1

ae4f2a135510dffd89f0b5e87625eaff7dddbc82
SHA256

7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5
SHA512

c53905bdd3fc7a7e94952e2b94585651a8dc8c7d1c974f3b33a35a0ddc6eb440163507bb489fec04d935364323c8bdb6b2cf904760d56a9852716e763242edf8
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJ2:fnyiQSo0

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1804-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	UPX
C:\libsmartscreen.dll.tmp	UPX
behavioral2/memory/1804-426-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1804-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	upx
C:\libsmartscreen.dll.tmp	upx
behavioral2/memory/1804-426-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.AppContext.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\ReachFramework.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ServiceModel.Web.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\ReachFramework.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-interlocked-l1-1-0.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.ReaderWriter.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.Design.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Forms.Design.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ObjectModel.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Extensions.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationFramework.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsBase.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\DebugSearch.m3u.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-2-0.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationUI.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Cryptography.Pkcs.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationTypes.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\WindowsFormsIntegration.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\WindowsBase.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Json.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Concurrent.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.CoreLib.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.FileSystem.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Controls.Ribbon.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationUI.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Controls.Ribbon.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsFormsIntegration.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Principal.Windows.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsFormsIntegration.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.AeroLite.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\UIAutomationClientSideProviders.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\ReachFramework.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\UIAutomationClient.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Forms.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationClient.resources.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ReachFramework.dll.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe

C:\Users\Admin\AppData\Local\Temp\7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe
"C:\Users\Admin\AppData\Local\Temp\7dfb560940ecdebeba13034105109deffff8d09fd601d71812ec3ac4d01987b5.exe"
1⤵
- Drops file in Program Files directory
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp
Filesize
74KB

MD5
db103b29cc3271b816b52a4a1188fc96

SHA1
f711a238306b10ea93e4153ccdb61f32e1f9345e

SHA256
4f5d39c89ead8b3b8777b9fdda32c62cc25ffc630dabf7679b62a8540d1e4d7b

SHA512
2664defcab0d967b669292ebe508bf8f9598a6dbb2d28b4fc3ee96b01da83f476e7d97b716c179c5baff55c601304cdb58aca2271c62821c4531a18bc1e7558f

Download Submit
C:\libsmartscreen.dll.tmp
Filesize
74KB

MD5
02acdf48ede9d7c4ec094365d3ce6dcc

SHA1
d840f0c71f0b38313607ae4ceda0db1349ad3bd0

SHA256
d7053591aa429d5413384fc7b72f24a227de6770f3bb0cebc781d40f69963265

SHA512
cb4b8fadc883f14a677c4853d1ac6c7e4ae5ae94ad759993c8771f7e826b00207216bbb7930e65bdbc62921a369c473b2e65170058cfc6a5f61bba53c5761752

Download Submit
memory/1804-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1804-426-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads