1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991

General

Target

1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
Size

40KB
MD5

6f8716ab63d33729682538510d37ec4c
SHA1

276a8ac246266998f30d8b51da00d1e5fe44e03b
SHA256

1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991
SHA512

6412cd812115d5b6ba153b7c99d65a12c07ff2521c6129484315e6f34cf5090cfa1f57a0c8e6b2cd67130ddae74a81de8a9bd113a9f3af605ce48e7438b8f743
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFa:CTWn1++PJHJXA/OsIZfzc3/Q8a

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5358) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3260-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3260-1222-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ca.pak.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHIC.TTF.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe

C:\Users\Admin\AppData\Local\Temp\1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe
"C:\Users\Admin\AppData\Local\Temp\1d5d0b76f1bd5bb7230f3711933dd907f62c1fe0c612b1e9e3139ca8b5330991.exe"
1⤵
- Drops file in Program Files directory
PID:3260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
40KB

MD5
3f6de3dedb5718e189f4f0222f1272bc

SHA1
7eba6a4b56920905bf47973bcf2d35cd089024d4

SHA256
e9809d3661450d9bf55cf40846bb6f742cedb4ef7da247fb492cc5f7105254a3

SHA512
c12bd6ae59f65178eca446d1acc24253fd5a6778d565fa129a6599bc721d9d0a6c0c35a114493e942e2f14331b9ff1e0391948ca603459389661dae714222ce3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
139KB

MD5
88bea29a18c423dfc4ac5632481f9b9e

SHA1
79e3ccc31febb7bb5bfd0c6fc6c8473a51f61d7c

SHA256
095989572b5a4da91d363128ee9f6c41c4d0cb1d0b8a89f75ef8c0dfde86cda4

SHA512
3d2dca2f0b849906b7afa4b3fe1c74e29bf2af88e46ed75189e28d5b91d376c687d8922526e540677f2cffb768225962d0720b7af83468c34685c7fd2f2e534f

Download Submit
memory/3260-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3260-1222-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing