98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848

General

Target

98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
Size

103KB
MD5

895fb5e7be247ceb7657a342961906a4
SHA1

88051f790d4b1c7f341582a2d56e00dc6fcb4734
SHA256

98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848
SHA512

14f351385de2c2b7107ca51bfb8e5d55474f0c9d072e43efe3c8d40eb433f7064932bde95cb050a326bb4d735747a6c9cefad5906bc2ae0c0a593827711fac2a
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfz:hfAIuZAIuYSMjoqtMHfhfz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2408-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2408-1086-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2408-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2408-1086-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\manifest.json.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png.tmp	98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe

C:\Users\Admin\AppData\Local\Temp\98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe
"C:\Users\Admin\AppData\Local\Temp\98c3629472e96e1f08e22b765cf2f1bd29dbc3e7c6a6404cbe53e49f986dd848.exe"
1⤵
- Drops file in Program Files directory
PID:2408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
103KB

MD5
45dd71a3b6e8686665fc3d2d41cab8a8

SHA1
f8e70aa6d48ce429c96fdfe75f618b5cdb73fb68

SHA256
ffb58a5345293716af904cbabe7c4db7ff3e4168183f481f190724af9b102faa

SHA512
e8aa9699aef95290acbf45674bd7dec3b5c644636c7ad1c39f818337afedfb6b1470343e15fbef559cbc06b4633c4ef87f53af9a0f90b0e365da10208c8b7a5a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
202KB

MD5
e38d26f432406b51d6c30c0450f92c42

SHA1
5fd86591fb5391e841c23ed698ea9e7e79ab014d

SHA256
639bdc201375c7e9c537586804c7a849e9fbb851045b3a37ded837b8bd1f5cca

SHA512
117f873c3b34cc22ce56d85fa78047f9b49674af97a2217918a7d0ad9bc9f1e0e232fe679004127565f2591c24f604a44ec8744e8170fc10f99789454f9eae9a

Download Submit
memory/2408-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2408-1086-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads