8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3

General

Target

8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
Size

100KB
MD5

7b93b040d8539f6a541ca742d8670d8f
SHA1

b3e2719d91c7637c554e1b6d9dbceab8645cc200
SHA256

8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3
SHA512

d650a3c32e28413737fa1c89d530e9b78094469fda3a98d9eb1f7a8d98b0b92a8903d44b4c2e191c48f242f21a166076dc3709886cd237394f961b637fe8cad4
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfL:hfAIuZAIuYSMjoqtMHfhfL

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4846) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/3672-918-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3672-918-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sw.pak.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fr.pak.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoCanary.png.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe

C:\Users\Admin\AppData\Local\Temp\8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe
"C:\Users\Admin\AppData\Local\Temp\8d6615f905e9e105a6d7fed9bb682352d21aeb005879855997ea22ddb468f8f3.exe"
1⤵
- Drops file in Program Files directory
PID:3672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp
Filesize
100KB

MD5
b5c54a1dafc589d83de2ea06459dca4d

SHA1
193847a4b76ff6d91449f60442968f9abadd6a69

SHA256
2343f0f98f9ea67b659d12c284c267d39ebdca7015b72caee54e940f95580914

SHA512
ffe82602155440ff0bce53da4ac6266132bcc856acba42d8d44a4b798fbd3e71be1fab13223e705fb623c368a2693c23e65677c1ca821afae56661fc2c8d45fe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
199KB

MD5
cebd7dd11415aa40e529fff4ae759d4b

SHA1
4b0d00c29af4747478119977e5abb62fc1becbce

SHA256
1a2826e3188183e4ea171ecd7f70407914da70667bfff47157b1fff126b0db1b

SHA512
3bb18db5ff31077c8e50319c76cbedc38960e7e0190e625a53c859e4d7dfcf1fee4f046b47127f03718aa3ee8f5401acce7dc841deb117dbdf357eddfd1cb5cc

Download Submit
memory/3672-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3672-918-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads