d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3

General

Target

d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
Size

57KB
MD5

1961d8b5f0d2f4b4b4c76f2e228a1368
SHA1

79526d849c025523550b68619e5a340774effa1c
SHA256

d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3
SHA512

50d486912ac9d6d1b90667e97842da30fbd8341cf2a7ca1a1438132b3bf271f5ef03e9c325e9b322f8d8d83cc2454634afbbe232472fe8782dc1ee7d9aea953d
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFufGr:67Zf/FAxTWY1++PJHJXA/OsIZ9

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.exe	UPX
behavioral2/memory/4832-1876-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.exe	upx
behavioral2/memory/4832-1876-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ca.pak.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\lv.pak.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe

C:\Users\Admin\AppData\Local\Temp\d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe
"C:\Users\Admin\AppData\Local\Temp\d37e364ab29a81d93d274c50601a93cb982371651380dbde4e979642405817e3.exe"
1⤵
- Drops file in Program Files directory
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp
Filesize
57KB

MD5
b2399ff9d537f81332906403926daefe

SHA1
e7829ee4a7b44cbcab857900fbc50d2ec895a962

SHA256
9570281e90b5bea8c7294904b9b6d696404f7336894b84b9e984b03acbdb7a3f

SHA512
7f7f2490ec298edffe904f2c7ef617b673f21da5efe5eaaf11b0687748102aa18685ec05355d270428ad3bd7f935e4c3e7baf3aa874e3a6f2a37a11e9437a54b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe
Filesize
156KB

MD5
a2e3cd3e8af5f86c06ee835d11b9ddb3

SHA1
3e510fd2a108d3dfb8345c1d476810622048453c

SHA256
a369231444f2b8978a2f77d54b2d985d23701b5c2ead12ffbf9662d81f4db497

SHA512
7dbeebe27f25936856055d22f952ac6044ace12487830c5a31026da8bf5f4f1e994111e1105e9793d8ef9db78ccb49112b4ce3150cbfb35ea302a2065d1aa640

Download Submit
memory/4832-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4832-1876-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads