28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904

General

Target

28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
Size

70KB
MD5

0a3d901108b33758c19774e0ea327726
SHA1

bde15b374e20dd34b134d6a406215353893df4e3
SHA256

28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904
SHA512

3b556601bac6f3bc70aaec7a04e4f13173a5af211eacfe1a99376785d8d4758f2eaeaa9828a16a8fcbf8f13e40d290b14392e2d93b24caa51f436a1df988f6df
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFmzWzXUT:67Zf/FAxTWY1++PJHJXA/OsIZpPEIUn

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4849) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4840-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe

C:\Users\Admin\AppData\Local\Temp\28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe
"C:\Users\Admin\AppData\Local\Temp\28269a9ce95e0e431ace85cf387e9b0c814cce0e114027d89acacab21245c904.exe"
1⤵
- Drops file in Program Files directory
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp

Filesize
70KB

MD5
3786a440087dc83e18e0e78f592f14b4

SHA1
a3beb9e28875034ef47752012a1148125e0b9204

SHA256
97d2571771cd8ad7dff105a25034b20d4a4d2a2bfec8db47416d03351f6bc36a

SHA512
3c14912ce3ac25ddaa7efb9d8a7101fbc968610a588ca6ef10a19cd1c58697c29cb4495f9dffb909f3a54da276b1608279bb746cf7361a033eb13daf61f4aad0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
1af28465cf6e01f1407160b2ad838150

SHA1
b6794d7aa75c61ee40cc64898a1215f15538170f

SHA256
ecf72a635c4e5a94b091f72c8e3f4bdb3571a98790f9541a2e4e87dc5ddaafde

SHA512
691aac9a319345ab8159c936fce4b0fcc206bbc5b689bbcdf57a97323d41624ae93cedba78fe353d3744a0a439593838815a156d117b10c44769ba4421d2e7f2

Download Submit
memory/4840-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing