f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a

General

Target

f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
Size

203KB
MD5

6ad7f41f17462bd1fe645a2f27e89eb2
SHA1

2b022478631ac63d5b4d3bfeec26eb5f0e745788
SHA256

f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a
SHA512

7695c1426082dffa4182a9b9dd8ac775c664618e25b2c2961193039ee71b4a5333e86ea24a9c15cdc8291ce4edf5842afaea735f9a1fe9e76ca983853d669f5a
SSDEEP

3072:enaym3AIuZAIuYSMjoqtMHfhfJ6W2QZwKS7sSE:wHm3AIuZAIuDMVtM/L2ZKS7sSE

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4180-1602-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4180-1602-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-CN.pak.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe

C:\Users\Admin\AppData\Local\Temp\f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe
"C:\Users\Admin\AppData\Local\Temp\f0d748a8bd6eb30384e806d85f96f5c8239a04a98bf7854fa5e3b75c086e484a.exe"
1⤵
- Drops file in Program Files directory
PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
203KB

MD5
3e51a3509be2b979e6da5c6e0efb4bbb

SHA1
ec2fcec849c0461be1765c2c81a65170d4ea2f2d

SHA256
be41ba7b234c1c4427a817bf2053eb0791f945c804c4334421142cd3572358a9

SHA512
b98bc914cb46a0f474efaec4acf4014bf45cb08554dfcf8f4203e79392ac56f55d683ff6ac1a561ea7d978b4a24e67896bd4023106d50abb23d6acc3ed47b4af

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
302KB

MD5
5003ca0637ee5d6fdca7a15e5220da82

SHA1
ed65b00ffe1171fb066d5e97be1b61495dcf51cc

SHA256
19f474fc84228c57d8be7fe16d1fe19b942abba15fa4d48f8618382d18b6c692

SHA512
426b9aeed9d131c2a6abd36d7be14b183a473f34eb01cf88b1f220e43891c85ad7b92761d25905044c75ac94c4a3083993810bdc2baca25ddabb85b94613be3a

Download Submit
memory/4180-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4180-1602-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads