b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0

General

Target

b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
Size

45KB
MD5

8e1f0fbe4a382536e215ee10fdc82302
SHA1

1f65f6a167fdbdc063947000db371997decdc2f2
SHA256

b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0
SHA512

232a3953c5c0270c8eb4c3eb9b39801183120ec02da58d49d525b498a9f65d593b3007587b262de34eab9070510e08fba325bab5cfaf148d96fa6caa5f128a70
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzj:CTWn1++PJHJXA/OsIZfzc3/Q8zxF

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4840-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4840-1110-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4840-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4840-1110-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp	b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe

C:\Users\Admin\AppData\Local\Temp\b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe
"C:\Users\Admin\AppData\Local\Temp\b609a41d1f5cce1345c7bea544de825ad8276a442e100540f792fffe07661ff0.exe"
1⤵
- Drops file in Program Files directory
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
45KB

MD5
933774382066ffb7e1a8f7e99498a1df

SHA1
213d48e112126b159071150824c647de98d414f1

SHA256
b85c4223c03958a8960ac79d263ac284c95411e4fea63557815a2066e9b6bdc1

SHA512
17ae0cf4ce6d270f4ed673bae881931b35442a74a5256f6d09b97dbde06d88c52499ccc829ad49a9c9461f89e3ad1dfba7cf58540bd17d51c6edfeb173fb9d2c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
144KB

MD5
86dd6bf525b7081bab52a8699f2751c7

SHA1
44317f63933af0362edbb8b7b3fae38035325132

SHA256
71bc704257263c48062bc60e863c8b38c1ac8a55d407ded6f87274190f1c714c

SHA512
fe7bab71c3fc8ef1e6f6241f353bd0b833817cf2d9d13328e6b6f6c39e4325a822d3f23de9a4da1d4032f5a2ac589604d7e07edc27698a45f3acaf635760dff9

Download Submit
memory/4840-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4840-1110-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads