bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6

General

Target

bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
Size

45KB
MD5

1de88bc39afa8b62ec18aa69f70307a7
SHA1

2b4f0b1fe8912a10d9d21d8ea3f55a4294bcf9bd
SHA256

bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6
SHA512

910546370f0e77f261d431af9f389686497de4e5df9e339dc5e1cae1fe8e2dd97c93f45df84e2fbdd29d0af34d67a38b9737d683c8860bec898a90bfe38f10b9
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzf:CTWn1++PJHJXA/OsIZfzc3/Q8zxF

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1860-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1860-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp	bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe

C:\Users\Admin\AppData\Local\Temp\bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe
"C:\Users\Admin\AppData\Local\Temp\bf53f923fca56e736dbfa88e1a691e1ba8ea872663948b4e253c89dd375a66a6.exe"
1⤵
- Drops file in Program Files directory
PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
45KB

MD5
f4e2e5d88d671798dfd510eadf7aa395

SHA1
f484a1f4627e2ddae723cad849e4dfe03d095110

SHA256
9975b08ce210234b515eb96921b687f5e51e18799c5055092ae69929225e23cf

SHA512
987cc3656435d17f165493fa1d2bd6ac2ba5bbe4072069e1062ce9b891cc145e3abf87f76e1b985cf4d49facb4c33853638e617b64383d0ab52deb7857e9395f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
144KB

MD5
a0370c592bdb22ff71ad213e04899bf3

SHA1
87129e4bdabf065a11780668cf704d871dd75af0

SHA256
ff352b8f96c1ba8374a58af19fee7a5e850ee4bebc52966b5cfd9ddd6028ad8e

SHA512
25bfc21fcab5d9be16b1a75ff421b43d705ba3f7ac9b636917c491248bb554e42cb03a7222b3797cc71a429bc86d09baabd45c3c64320ae7f8e0eedac073c8f3

Download Submit
memory/1860-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads