691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e

General

Target

691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
Size

124KB
MD5

32b4b4543f9707eeea3a30cfb6a6b6d1
SHA1

d67ebe9c9a0979c9346a9e23ca8e0d9bb212d927
SHA256

691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e
SHA512

1be2d2bf2133f8d6e97e130e4d959e45a9ffeb44d581570e62f07def60858e49c8ca308720b637ef3f9587aa267fe688bbde712534d17964be3a9448c0831901
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCz:+nymCAIuZAIuYSMjoqtMHfhfC

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4837) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4312-1782-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4312-1782-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sw.pak.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\cs.pak.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-TW.pak.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe

C:\Users\Admin\AppData\Local\Temp\691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe
"C:\Users\Admin\AppData\Local\Temp\691a0a5b5dc9446e306b70eee837ac132734a964dccc6fb0ae196528d9b63c9e.exe"
1⤵
- Drops file in Program Files directory
PID:4312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
124KB

MD5
161f720721c45e81f38252422a90841b

SHA1
dec4e7d9ae50899e291771c50d8c6579fc1c37d6

SHA256
d85c21ad4923c3cd7e132a7b34d67304d44fb188cf4639e50e76a2c987585a09

SHA512
30d40022f231e0f40395af7d270d7910d297da0c80fdfc3fc300672bc77254cbfa7cd831ec31e6a5b892719204c3e7b7a7c32a9a78d202ce18772fd394744412

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
223KB

MD5
1241aa034909edbf664a286238b2dd2b

SHA1
cf8c421e27e9a4b72a60da02c39ea79543c77b69

SHA256
f6cd6eb685f0f0ba9814a98122911d3204f2c2d3b7d1c76980d0a1a310284e15

SHA512
9a405755365a681eab79edacfedf144fe6eb170b9c4f7509bf6ffc9fdbdbb3651cc3418976f2e200f54824027d6a239dca16f93fceb6fcb53df922d4b4cde0bd

Download Submit
memory/4312-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4312-1782-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads