a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517

General

Target

a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
Size

89KB
MD5

3d7640f2d0006c982e5c874e01839d9a
SHA1

a62a356caf46d66f1a7f234aaca6c7695c796fe3
SHA256

a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517
SHA512

71ee8c6c1b60e351f54cfab2615c6ae266c94e762fddc30596b1048fdab72b9c4bf4db317bcdfabcca59c6e823f30cbcb65d452d25c2d74f4fe27bccb1563337
SSDEEP

1536:W7ZhA7pApH1d9oVLQthbqbY9oVLQthbq51Rn6b+W+V76RbUkl:6e7WpP9oVLQthbYY9oVLQthbUv1kl

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\vi.pak.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es.pak.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe

C:\Users\Admin\AppData\Local\Temp\a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe
"C:\Users\Admin\AppData\Local\Temp\a1e5c445f62d6968443f1b6dfc4e2bc60e1fac21741c687f7605cd3591db5517.exe"
1⤵
- Drops file in Program Files directory
PID:3212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
89KB

MD5
b128c38785f044ca83bc0955231bc43f

SHA1
f13213f49c73b346dc75e6423bda3f83e0b07596

SHA256
0402a43e301c9c16214e9f5f27740ca3ce390253180099da1e34bc9f757d4915

SHA512
6f47a61e027bf9a88c1dc2e3ca8e51fad000fd2c0126ef7f93ff64a89d31038e3cd41f6727d4fc699d128fca8f93bd170457de32efcd8fa603d213caea48105a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
188KB

MD5
bf01ab977f2b681a8873325b96cf807a

SHA1
63aa44e1ae24efd565487f423516cf78b0fcd5e4

SHA256
61e43aea5cf8e845b6fc219695a09b1ac834174bbe4de469208aa8dfbdeceba3

SHA512
5d37b52bf4e50f3a0c73fba116b6ed14d6b1236610af6df27a66760f1918f5852c86c4fa2022c0d473898987ffc6f885176c230d64269d1e105bc0e5339fb464

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads