a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc

General

Target

a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
Size

70KB
MD5

2f8c0d05ce9f47d6ab1fc36a9c47097b
SHA1

08cc620095523a86a063e39259260279a2b17958
SHA256

a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc
SHA512

4ef7bd03dcfe51b1c6b33459278bda1ae167c54875a77d0b448ee95374a8233d84f1dc06c4ca40fbde15ba9dd4977cf51541c8a6c0420c055d5be239b565b270
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUs18/8E:+nyiQSohsUsOkE

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5017) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3248-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/3248-1788-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3248-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3248-1788-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fil.pak.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe

C:\Users\Admin\AppData\Local\Temp\a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe
"C:\Users\Admin\AppData\Local\Temp\a8626e3d6a692f5888fad9c917d96af6814fac73305b4e665051985ec0acecdc.exe"
1⤵
- Drops file in Program Files directory
PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp
Filesize
70KB

MD5
0c1003db88ef7ea1ebb57c8422b0fafa

SHA1
691324c25465f66a287a760c74067dd62e449028

SHA256
138274dc602aeb80c7b8392166867e660c10ff3a715e9b909d552bf5dd0fe4cd

SHA512
61e55be3dd01a9a2dfe0bab6fc67abd8024e8d63f76291aebd5520b1b764a0876d328fe27d1573f133ef44a19a8dc801a23c4ec6036a62c2b653e135decfff96

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
169KB

MD5
a9efdad24305c032d833dd487c9658a8

SHA1
17189da19ad338a05c014d4b52e1693ecd8374f8

SHA256
7c2d23149fd176e70de3cd18ae56bb3bfeb023e082a9a7eefc3cb5e4cbe93275

SHA512
f0cba79d90120ce1554a631a901149b9d5bfc14670925df99d5f5424f78e1ee02046ac9452d987f08b05daa690962fec06788d57d958c5f9b1e7e7f9a69392ac

Download Submit
memory/3248-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3248-1788-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads