14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4

General

Target

14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
Size

99KB
MD5

02c5e6bc836eec78fcf882db56e393c1
SHA1

9e7c6d04386dafd07bce50bb075b451dd0dc4af3
SHA256

14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4
SHA512

61fdf94150028564953a20fb47bfaa2d275b6f628c515debd8f60976a054ff962ab89c4db795f39c7fa2327d559a1d1545a9646d6b0fcacacd817c98f74d7117
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfx:hfAIuZAIuYSMjoqtMHfhfx

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1360-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/1360-1056-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1360-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1360-1056-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp	14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe

C:\Users\Admin\AppData\Local\Temp\14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe
"C:\Users\Admin\AppData\Local\Temp\14978943d59801a0d1c88b1809d56b0f8864db7359d7d609e1666eca401d38b4.exe"
1⤵
- Drops file in Program Files directory
PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
99KB

MD5
96c29037e952b75e28dc998037ca9c61

SHA1
5ec91e2dbadc575c7eb6deb3c4f76498919897a4

SHA256
4133cc83b31735693b107dad815c775d8f840729ddbf72e04a4bbd7a4f38d955

SHA512
a4c530541f81f27f46ae93cb38b8a5f3cbaa3f9ffc555175227e6fbbe6de29f6cebfb2a4a219360bd547fa8e109ee92191ec11058f4d053a03175c91f86f4fa3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
198KB

MD5
71049415d4e3249f9e15e7b698104a23

SHA1
f4f5180fba3296618fd014e981bab7a20c67c4f8

SHA256
48d7fd4e23e773584f843ea69888f32a18f26ed1605ef188567e03e90c028ad6

SHA512
49a962bf4982e75f03bc284ed4ce33a6d1ecd14a9f8660e9bdb92be243fcc79de9a6a15bbf195130672d820c2caa2454cac046daf2c2177ca05375b9965f944a

Download Submit
memory/1360-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1360-1056-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads