c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377

General

Target

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
Size

103KB
MD5

1bedc075301dcde41a16b5e76421638f
SHA1

fdc0d9f81122fc92cec5b6ade620cf2b42b54138
SHA256

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377
SHA512

3fe6ec7aac289c814076df93997915ce5e42d2d8508785c8e4d8dede6bacafe651a862877310665e420c005431940fc4bfc6ce023da83f81d2bc3a673d2172d0
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yTWn1++PJHJXA/OsIZfzc3/Q8h:+nyiQSopQSoK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4612-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4612-1792-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe

C:\Users\Admin\AppData\Local\Temp\c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe
"C:\Users\Admin\AppData\Local\Temp\c5b515d0832e2e51005003f16eafbc41cbf1f7f664d38a65ef16a372f975b377.exe"
1⤵
- Drops file in Program Files directory
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp
Filesize
104KB

MD5
91454a4c13841f64978282a50dc48f4d

SHA1
60bb4b3631e232c6a8e3fee13322e3ef671e336d

SHA256
212d31a76301ceb7eb3b39ac8184904bf9c847eb238ca605790c5fa91387a291

SHA512
ff6c820b01961b4dbf2730ad795ff1fd340c8aaafeeb4c115c82505b2f881080f48cc266b33366edee82e3e4c89ade482b68872bd418b6eab678015a6d8d7ea9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
202KB

MD5
aadb1d096322b4efc4dced7ea98b9a9d

SHA1
796b08113f9103db4356c8483bdc3d6fecf3b3a7

SHA256
f88ebcba389f25619118d8e4a032690647071a309d5f4686a0eb686e393d5f18

SHA512
40d884215ebdb65fbf9c89abce82c3d9c730cce3982cb92f79cac762adf0f60e77b2c711ea3a5b3b7582a73eb107648c16867715e719769ac2ad64411d691318

Download Submit
memory/4612-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-1792-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing