f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534

General

Target

f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
Size

72KB
MD5

56aeb4836951ec6c16c47be48cbc1225
SHA1

c9adce393eff3fea46a321d32fb53ec18039840e
SHA256

f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534
SHA512

cb28b26d40fffcabf1aaf3a8ef98af175efb5752494535bebd22eaa699f43211a9f6ec48357b0299ecd6a2bc58e2c3fd7034a14eff0ecbafe1d5412c4b516e55
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/QbUkNdNI:+nyiQSobUkz+

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/2476-1828-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2476-1828-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\kn.pak.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe

C:\Users\Admin\AppData\Local\Temp\f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe
"C:\Users\Admin\AppData\Local\Temp\f94cfb97bb290fe16ef517320f0ce06cd88cfe7fb3ce1c5e3387635076765534.exe"
1⤵
- Drops file in Program Files directory
PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

Filesize
72KB

MD5
30513c2734254d01aab23d225b6217f8

SHA1
5c25d4e686b36e377cfc46eb557f572ba8128dd8

SHA256
e9ec1ae88c140e02af046428c588319ced024988e26fc83aae5b9326fa5de812

SHA512
fac6bf72ed2b79c5f01f41429dafaaf76eabb241be24d9bb7d14339ca09c0e818dfd738c6e429f986933bc11be53821d7f947a0f45a51384d2f0da073efd6297

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
1baa06969c709fa02a4bedd9cf330e4a

SHA1
171b325f69cff9329a1a9595ae03fcd90e63de63

SHA256
fe4cc1f793a1b9ca4a7da33f9747bf00952b073fa7358a0a66dc1634ee283f0c

SHA512
81ec3d77195500f0f288007598a30947d7c9fecfbdf938cd6b6fb499b70bf3afd1b10bd414e933c29ca146fab111cb69b4060bff129568b602a9fda1c0143217

Download Submit
memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2476-1828-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads