2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae

General

Target

2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
Size

58KB
MD5

26d103c339291f1fa7f07d4209b53ab5
SHA1

bbf7a6ce9d1e43ab5aab983c082d78c4c38eb5d5
SHA256

2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae
SHA512

47e85188b24308aeb3d7823ba8966ef884f5e8d3f91cdcc716a12cff62804c5f910bdbefa3f3df0c7e325f0cf114b2827a7bb664148dcd920a1dd5a9ee2e9670
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFFv:CTWn1++PJHJXA/OsIZfzc3/Q8yiz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5209) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4856-1128-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4856-1128-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nl.pak.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe

C:\Users\Admin\AppData\Local\Temp\2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe
"C:\Users\Admin\AppData\Local\Temp\2ca0a62cfb6d094ff261565d71ca0888cb00d694056805dcbdd2b8d1ac0bdcae.exe"
1⤵
- Drops file in Program Files directory
PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
58KB

MD5
69302adda866b40a8dd2842c69044092

SHA1
27f704af243d88a835e43cba064766e86282b555

SHA256
b5fa7047be21b63cccb87f1536d69ac04d86cb91cce7f52d7f1088bae92bf2ac

SHA512
daca96c2cd2237b177a88e18fab9dbf052c06c8f9d7f8ed0285ff87fc6184dcfb73c6762542d5b2655fb55db6e42cb413ded8e405ea82dab54a6c6d344855c71

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
157KB

MD5
a9a82934d8b1ff5f58c5fcea9e7e5945

SHA1
5481b465601813dd2c105d3a3d3d604ec62ff09c

SHA256
d661a7092630c019020fb6fbc40806e76ad904bdb9fd3d0ed26e17cbb2d00042

SHA512
9775a8a033432dd9c013ba8590844b29621a87b0d2d98f544c7fbad1440abd5f0a01709445b3dd6feef019802d5f56b09cea8228d0121fa470509af41d490d11

Download Submit
memory/4856-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4856-1128-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads