a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832

General

Target

a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
Size

61KB
MD5

7d51687ced25058f2fd928cbe5e0ce99
SHA1

621e7b7eb1e772b6fcb1309322651779fc842e46
SHA256

a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832
SHA512

5c6ac104048970af095e837e124e464fdeb78afada2400a270fd56b479d2938bff9d8888e2a388f3d8005a9c7e93a6bda24ce91ad716c4f0a3e2047dac60320b
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFufGWQMj:67Zf/FAxTWY1++PJHJXA/OsIZ0

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4858) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4552-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4552-1784-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4552-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4552-1784-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sv.pak.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe

C:\Users\Admin\AppData\Local\Temp\a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe
"C:\Users\Admin\AppData\Local\Temp\a8620e19a36b332272b147036dba06257360f8dc3b2ffea7d1978689cb16c832.exe"
1⤵
- Drops file in Program Files directory
PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
61KB

MD5
3f21302753932aef16852d4f055098cd

SHA1
5151ddf2d93f7e6843e1a15617d90ecfb1f08424

SHA256
422b9e536da3da3e57d87f8f8dcc509e5e21d1b984543b1c84370c3da805fdfd

SHA512
fc415c1221995af7041bf1d9b773cc9f0db203c8a956446ee30331497ec8a3b4b03795d438c3462287811bf168a73938cf5ede262f3ce839bb321a9c05c301a2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
160KB

MD5
4459278b21419a415fa3ec7f4282cefe

SHA1
0587a323b4d4fdaf98082a62383da64b77dece51

SHA256
59e8864db4fff2ae1fd3de8bcb3ce17ea3707ddcfc69fd1c23541aecb22c890f

SHA512
9459f2ab34871c34e17d4397f9e085d46195bb6a81d362891774894c8ac9bae48b8b796e8a8e6f858012f882467d49b2f16d4c361948a7bdf2c7896b6feedc43

Download Submit
memory/4552-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4552-1784-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads