f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5

General

Target

f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
Size

70KB
MD5

2ef68ec6125b156c6fdc86e24972e94d
SHA1

5991b136d1c59cfd9c543907f82df4d6c9d13754
SHA256

f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5
SHA512

2303e7c27ca90cb2ef2421cbccbbc674be8586e84a92ef42bd65e8f89d99c5a85d21701fae541298b41d4b4dd885ac5a3be6f166ef4ec668eb04dafeb7f93a8c
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFmzWzXUS:67Zf/FAxTWY1++PJHJXA/OsIZpPEIU2

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5117) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/5040-1788-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/5040-1788-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es.pak.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe

C:\Users\Admin\AppData\Local\Temp\f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe
"C:\Users\Admin\AppData\Local\Temp\f5cd8f594b9f956c10a581ce0cb04fb4b8f4cffd823b3ba64727654d74840dc5.exe"
1⤵
- Drops file in Program Files directory
PID:5040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

Filesize
70KB

MD5
a6da14dbdfa61ef914c4829165e1a51a

SHA1
010711164ac3adea2204de948955e5b48a86819c

SHA256
58b30ae188dcbb1d9212678e3cd6d4ca54e4c370c6c04a1d94db8ebd8bd2d956

SHA512
8bf2c2ec0493b356a442b4f0d43cdceac7f4b5d745c75f1adfa984040fb04172dfeca0eeca0d8d7b629015494b419ea38280ce7e7c33b307394ad35107017093

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
d90744d716d4e4f1b9db2f7c8059a172

SHA1
e3c528cd98a13be9dd945e0bca6a9adad8a6365b

SHA256
6ce50e39d77148e9877a76baf942b930e970c3fd821d5e812dc99bf8f946babd

SHA512
5f4c036204112c6a2a2595a88f7b38d298e919d2db9842b9754d868fa009974646958e68db5af4ca09cd219858030d66c4f99dfeef5f1154c1aa45adc29d415d

Download Submit
memory/5040-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5040-1788-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads