8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54

General

Target

8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
Size

75KB
MD5

18b705c7ce98742369a1ab58b1a86b1c
SHA1

6beb8c3ad5d904eb9c10a3ab29e3cdd106a805a8
SHA256

8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54
SHA512

dd2fbd155a45de1357ec8d98294508b11f72b3c65d195690de303f2a18f3f4a62cbd9d31420f183838638ef49a65a4d168734ca65f9e72264d03a5326d7510cc
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJG:fnyiQSog

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2504-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.exe	UPX
behavioral2/memory/2504-1850-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2504-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.exe	upx
behavioral2/memory/2504-1850-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe

C:\Users\Admin\AppData\Local\Temp\8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe
"C:\Users\Admin\AppData\Local\Temp\8c5b2f3d95eefb5556746099ccc962aa7cb8b9c0f4c03521d4b5b92df965ac54.exe"
1⤵
- Drops file in Program Files directory
PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
75KB

MD5
cc24d92f48441a2c3c812f621cb88bb9

SHA1
11b33644b74555274885012da553a3c14b683023

SHA256
85e031e0b7c9c9e2240d6152e39ed6cfea81b107480a37f30c69af3c6215f31c

SHA512
f88837fd8c58d01caccbb716b2ad7af1f172728a3aab117a4567687050ccc49291bcf13296eb14d5f5d68bcec32c8ae6352092dc9c780f727f5c1a3ccc9bb3c7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe
Filesize
174KB

MD5
88320787fd9a90b6ec53dd849db83f10

SHA1
bd32100c179cc3edb162e840ccd1ae1b3acd42b8

SHA256
4df85dcc61b881d2dd78a1983dcd013b4bae42c571bf2064fe1da51bb2985b80

SHA512
2bf762dc6834602694dd08682273eae611087561f23b22c90efc36ffed245e0ce71f187dea9c8b804a2477f72f1779da1e75bf347b804a6178333d2036c1596c

Download Submit
memory/2504-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2504-1850-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads