3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052

General

Target

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
Size

51KB
MD5

8b1c98687ac632adaaabe0a53250fe08
SHA1

a5e0583290f068010710bbd65412c976b9cb8046
SHA256

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052
SHA512

b39054d74de2fb677952575473b8fc0377a3d874afcde6004fb555950213b6f66f56c209e5be696eac26c335a324fccade2ac24fbe9cdc68abc76e4bb4a83cef
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFFi:CTWn1++PJHJXA/OsIZfzc3/Q8yi3nG

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1012-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/1012-1216-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1012-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1012-1216-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ro.pak.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe

C:\Users\Admin\AppData\Local\Temp\3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe
"C:\Users\Admin\AppData\Local\Temp\3a609f21121cdf04023d78f68280496292373e32fb1aefa75448a520e0629052.exe"
1⤵
- Drops file in Program Files directory
PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
52KB

MD5
abd97f67dc118d57670bdc2b67d156bb

SHA1
b481ab971550990b194beaaea7cabcb60f165f2c

SHA256
9a8b61b0eef4a149cec9f1814bd662359d6247b6a4a0465c7f158d5db2a72407

SHA512
1949a7c0d0442333362a907b249b0e28b7a23737c58a78bb0aa6b9c5b723291f551965eb89d826e774d206d218d84a03c686e9fd147af7c9dbebb31442a80fd9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
150KB

MD5
f990603073a795846e57d399c792d91e

SHA1
bffd76a1d2cfe01117f22568f99a33d33aeb228d

SHA256
fbe5e1dda31671b431e11a913a223b6fe64cc684456a2e289a3fe899a8c134b8

SHA512
765032e5811bcd50428a0bdefab3bd013188f5dd84c013526272ac1908db07177e6f46ba44c650583e3682be4e5a27692d1de86990d9c5c7104c2d8b2add459c

Download Submit
memory/1012-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1012-1216-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads