4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02

General

Target

4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
Size

63KB
MD5

3862526723fda4cd0534d02d4bd1b08b
SHA1

613ace3ca16c96d4379c5367e0d277053185a535
SHA256

4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02
SHA512

e6882b87a46d6aa1d3552ff3db4cb177234badbccfae7ecdab7ba49302ce0deef3a06b2df483bc84c689c963916b29a67165ce5068664365f1b8f2fa4afa7732
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8O:+nyiQSox

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5148) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/388-1882-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/388-1882-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fil.pak.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe

C:\Users\Admin\AppData\Local\Temp\4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe
"C:\Users\Admin\AppData\Local\Temp\4a02142b34874b1dbea95b68a789945f2759cde311d3813f3c48ac9690adec02.exe"
1⤵
- Drops file in Program Files directory
PID:388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
63KB

MD5
98b9ddd92411fc08ce26f5faa2d1ea0d

SHA1
d323aad9037c831e74a4c572382779fc9f3b1700

SHA256
269fc1248a506618525b9bfe4d195daa61f44429d626d7eb91e97fb702f0982c

SHA512
35394720762e1c8d1e82601b94af18bfa0504e58ac724eb23569373694ef1871557f9fa5cbd8185cf23c0625c0506bc45850374b6e0900315a34e385c71caee0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
162KB

MD5
b12c62603c50037800fa6cbcbf81720b

SHA1
054460ab79f76f7d7bb45170d45565abcf3b8564

SHA256
705769adc35755fe87df4b969ca2cec80aa165d67c08af01215b9e8ddd90cc07

SHA512
961aa8a30a5864b5e72ed51e47afa3c344f5e5e2e90271e1163d58ab33f4d5f749b654ca414a46d5cca6677d8d83f99956bd0a3d6cdb1b889d91880cfc193feb

Download Submit
memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/388-1882-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads