329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2

General

Target

329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
Size

120KB
MD5

7c5fa50d1d4244879335af7927f5b53d
SHA1

5e60767a985b3f86932c1acbe0172d7ca198b7ac
SHA256

329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2
SHA512

7ba2d2421661d6eca3aaa977731c24c1f821c90083e13e974f6a1b3b04eaa9a749f320a670bd7d359872c0dfa3aa0537366c43fa3e9bb7967ef809b270004dcb
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCR:+nymCAIuZAIuYSMjoqtMHfhfU

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (929) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	UPX
C:\libsmartscreen.dll.tmp	UPX
behavioral2/memory/2548-388-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	upx
C:\libsmartscreen.dll.tmp	upx
behavioral2/memory/2548-388-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.SecureString.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.ILGeneration.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Primitives.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClient.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.Annotations.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.TypeConverter.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Channels.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Xaml.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.Json.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Numerics.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Json.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\PresentationCore.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationCore.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\ReachFramework.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Design.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Transactions.Local.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.runtimeconfig.json.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Design.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Loader.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationFramework.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\DebugCompress.htm.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encodings.Web.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemData.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Specialized.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.runtimeconfig.json.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.EventBasedAsync.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.TypeExtensions.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Concurrent.dll.tmp	329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe

C:\Users\Admin\AppData\Local\Temp\329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe
"C:\Users\Admin\AppData\Local\Temp\329c7346f801e23cc8afca146c1a6fac19df48fbccb9f40856a4b97efe50f3d2.exe"
1⤵
- Drops file in Program Files directory
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp
Filesize
120KB

MD5
b8e7930879576b11d1c5fdb5d3fe883a

SHA1
e1905b547112aa6b48fb1df81f5764052e29a4b0

SHA256
0d083b191cba879bcf32d23365bbfc9720eff32256dfe56d5fa058e463645b57

SHA512
1fb7f24d11e24a1643750227e1eebfaff9f21a2ed521ee7f49c9f9239e1537c7024bba21f33936a3ce19dd8339d32403ab80baab2f9d94149b7b1d84694d28d7

Download Submit
C:\libsmartscreen.dll.tmp
Filesize
120KB

MD5
07ac8b1a0c4ed5a17f48b624503d934b

SHA1
2a30c6e63b12949f5df288dae7e2e094718b7575

SHA256
0af842442082f4e256d9a80564876fe0a2393bbaeb2291e9c321b53e04c7ebd7

SHA512
15e148bef88335661ff17389dee80c32cc9593acdfea2726ae05225665dc85a01cd5bf6942dcb61061d78b57df039a30d9b819d12956c52a5c39471cd13d77cb

Download Submit
memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2548-388-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads