ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00

General

Target

ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
Size

97KB
MD5

1a307ace8d3bb56789a2e59992299fff
SHA1

c9e2041042e9501aea2868c0d8aa31e7bbf30a52
SHA256

ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00
SHA512

6b4a7695e3d256ac5e9e85c1b137577a4c1d079e05f79e1b2389833ea243b0ef7edae17e20aa8dec19511f7ccab40177ce8199bb052b8129c2859936da9d3fcc
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfh:hfAIuZAIuYSMjoqtMHfhfh

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4846) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4736-914-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4736-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4736-914-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\d3dcompiler_47.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\te.pak.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe

C:\Users\Admin\AppData\Local\Temp\ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe
"C:\Users\Admin\AppData\Local\Temp\ced67669da149155b2dec1a541ec9596850bb52b6b07bb9f0b17242e597ece00.exe"
1⤵
- Drops file in Program Files directory
PID:4736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
97KB

MD5
e4290a6022b7632b1d3248712b2b6010

SHA1
b93697ad6fe5058ffaf905daf4185784af30775b

SHA256
26c934352957a623f306a7be1ece56bfcfd8eaa41ffa8fa9521f4a319ed3b676

SHA512
dd4b136856859131e09ae0964e2f74ebd0af08965a172fb4c00a6df407e6e99fd233d0ef8e94daf5dfdd1b1d9c9ec8ecbfbae9eef1a7dbcc9b16e3ab3c6b8d7b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
196KB

MD5
834abe687ef584757924ab3631e82e1a

SHA1
fc5b6b1c5c85ec84c7b17870b0f18995ac1e0d1d

SHA256
1dd943aae00321bcf74471d111c25071a4a1c6827aaebcf8ce4b3444eb842231

SHA512
424de1b72fcc83359262041b4ac2bdff1dc5b65a72eab803641ba4b92df059731bb975e887c305c98ce5c029f0d70c3cdebacedccfa67845b2715427a437d2f6

Download Submit
memory/4736-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4736-914-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads