c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377

General

Target

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
Size

103KB
MD5

1bedc075301dcde41a16b5e76421638f
SHA1

fdc0d9f81122fc92cec5b6ade620cf2b42b54138
SHA256

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377
SHA512

3fe6ec7aac289c814076df93997915ce5e42d2d8508785c8e4d8dede6bacafe651a862877310665e420c005431940fc4bfc6ce023da83f81d2bc3a673d2172d0
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yTWn1++PJHJXA/OsIZfzc3/Q8h:+nyiQSopQSoK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4788-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4788-1614-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4788-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4788-1614-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\vulkan-1.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\cs.pak.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe

C:\Users\Admin\AppData\Local\Temp\c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
"C:\Users\Admin\AppData\Local\Temp\c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe"
1⤵
- Drops file in Program Files directory
PID:4788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp
Filesize
104KB

MD5
e74cfa675a2c60aa603ccded3ba07192

SHA1
79dbb763be0b87e6ce3464b7efc243367611d2bb

SHA256
d8e6dc5d55c0b195c59621b486b36c09729d415ab7340f7557fd3c1fefc01d19

SHA512
151bb441c619dd5bb8030c35ea2c0c9993e3ee090aed1535673b65caf4f9791fd08fd43d71ff2d19c16a805c99f44d36a7229c7695f2f6fc112556f4a468551a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
202KB

MD5
bac628d0aaf0a95294948e1073102138

SHA1
09129691faca39dd4b5cc3c44c7f69ed333e8c92

SHA256
82eed2dee0422f76ff6d9c0e8d66e643c9e886dcfe87dc656fc7eb105a2bb97d

SHA512
08ac54af20ba9e2be31a4884c08f1da2a815855f17c79e5ee1a298067c428e8cecd521bb4fb3e6d00ddb3d191e4b41f6e5faa5b69aa9029d623cafbfd432d649

Download Submit
memory/4788-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4788-1614-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads