1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5

General

Target

1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
Size

70KB
MD5

5acd933a85196f99826b53cd78574468
SHA1

fd01fd8940dfcc3847cc441ef7089adc3a16cd33
SHA256

1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5
SHA512

147779d10b6d8b76a774615ac73d08e0839bd5b0efec4bd6b2a4b7dbacd9d9f9a760b82c6df3ac356e9a4688289c747d68cd8828896f8baf1b0054f36a7aa165
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFmzWzXUP:67Zf/FAxTWY1++PJHJXA/OsIZpPEIUT

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/404-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/404-1842-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/404-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/404-1842-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Java\jre8\lib\deployment.config.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe

C:\Users\Admin\AppData\Local\Temp\1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe
"C:\Users\Admin\AppData\Local\Temp\1b3d7946207b04ca8f8c76de1192b0d2de3d2fa9f191461759e8464ee60f70d5.exe"
1⤵
- Drops file in Program Files directory
PID:404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
70KB

MD5
4f985026e3d758db641ae1c89ff4038f

SHA1
9c766cd3f8d9086d6a3cabcc04e3b50458d1dad4

SHA256
ceda3de3280c3979de1ab5a42f715a0365b57f0423da62d7d6d304f88e4c37b6

SHA512
2091964b912e472a4842979f202e748b5c05559e902f05a4cdc0ba02f6549e2b9a1465ef855ce93bc27f533c73ca80376f27dfe0e7d2cd45fa74209c0695786d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
169KB

MD5
7f44181b85b487f34037f38040cf314c

SHA1
0476818cdc1c65ad88fcfcff8f4ed7cd81fece44

SHA256
2f257d05d1e009328b838d42a550161fa38c23e76a5c1e3e981da55d5c7a7794

SHA512
6c37e4247325e08f126223b0294b8de15e6ac02b3ea37d71d7a889bd9d07c847976f451742187f29c0b2d16c0c4a7398af847c8b2d0f3a3989ef1b4e643a5544

Download Submit
memory/404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/404-1842-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads