fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10

General

Target

fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
Size

73KB
MD5

5a68196ee5b86fcff908453bef00445f
SHA1

30533da9855c18c33d6385dd6d08f95fb16dc74b
SHA256

fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10
SHA512

51a2dc071a04b4c32a4f5c178539996ac6f4639a2d673bc1e4ed67e75fbbf014d188fd39db7a8c5fd339c59068433990ab8089510d02fa4858c85c1344e677ed
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJp:fnyiQSoz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5129) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4424-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4424-1824-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4424-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4424-1824-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyResume.dotx.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe

C:\Users\Admin\AppData\Local\Temp\fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe
"C:\Users\Admin\AppData\Local\Temp\fb29d420575509a51c6823a27ad4d029194007a88fd29bab3c2a34d1648ccd10.exe"
1⤵
- Drops file in Program Files directory
PID:4424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp
Filesize
73KB

MD5
252e0b3218a91641853c0307b703f275

SHA1
6614e0e1ceaf06ac113690837c1c6d47d9adf249

SHA256
17d805d7a50474bc3b2c6be57082661e9597f4f0671e412d5d3d224fecfed6f7

SHA512
6ade3aac2ecaa63f9318f717b922e3420033733a88976e9947fe5d3db1b84ccde4204cbbe586598d7ccce885617e256397bbf1d0cc3597afc6a42c2f50081a24

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
172KB

MD5
b2b27ad03c4db83d604777b6976f00c7

SHA1
0f0a8c44b03c87caafbb1ccddc9c737c90fdb9a9

SHA256
682fbc5afd18d346dfe09f1a6dbc4e226395497398afb9fbfce3e324b30867ff

SHA512
de5874ea5c26bae7797fee6aca87f3bfce248b0047d68c11822c407f71ea90247b0f09c0820addf2b74b8844f8a9e8b76cd292f46be3fca6cc92235a653e925c

Download Submit
memory/4424-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4424-1824-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads