0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a

General

Target

0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
Size

89KB
MD5

247957aebed186788f541f1081a92569
SHA1

6a3ed72744426179880e8d37c2a52a2b51162e8d
SHA256

0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a
SHA512

a1914ab3d80597905ffcfbe4b2d5747120d704dca186c6e94ffb3cf39f6a190e55fd0cf5a94f2295773e66392fadfce283290065365560f753de348905de62b0
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eJG/x/0VXaqvd:6e7WpMaxeb0CYJ97lEYNR73e+eKZ0VXp

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5093) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe

C:\Users\Admin\AppData\Local\Temp\0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe
"C:\Users\Admin\AppData\Local\Temp\0ca1af6e27855ec06e2f1dcb2c691e759026ea9831b1c27dc3e0de8c0d024c9a.exe"
1⤵
- Drops file in Program Files directory
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
90KB

MD5
30499197a03527d850de08e0ceb1e1ad

SHA1
13e554fc1b9f782dbdaecff074f233ea79def1fd

SHA256
67eb8b8e79b217ced50bf79280bb7551bc48430e6ab749925d7c558fe545a783

SHA512
e15e419acb1fed3307665514936ca0e57623619be0dcc5373a7adf1a8679cdec257eacb43061b97e6e8252fcd42bed9d92856a4cc0a5aac4550e96db084cf79b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
188KB

MD5
09b66671a92d1a180ee620256bddafaf

SHA1
1236898bbf89195cb9a43971aca29166a811e2ad

SHA256
127b36e365880f7e824b5153245ca9aa3f404169c03a13ee439f75d812091568

SHA512
9114711ea7c5ffdbc789f920ee60873ebf2dc97f325f844416441e11715e1711560ce756c56e79317fd61e708f5a4678f61fca8bff0e007e4864b0bd33cc2c77

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads