032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
Size

107KB
MD5

64baa5340e1d221e510d80d228c878dc
SHA1

7334c581a458f5443c02b128acd6783d33ec09e7
SHA256

032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e
SHA512

2276a4770756e2d21150df7edb25f05718da9bf556b93b3c41ea5af93a22dc56594ca746e9138432e9e1fbb71495cc25ced3fa9f7bcb8b512b31348d93ea7136
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfVyc:hfAIuZAIuYSMjoqtMHfhftEo

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (2029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/644-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x00080000000233eb-2.dat	UPX
behavioral2/files/0x0008000000022975-6.dat	UPX
behavioral2/memory/644-412-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/644-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00080000000233eb-2.dat	upx
behavioral2/files/0x0008000000022975-6.dat	upx
behavioral2/memory/644-412-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\external_extensions.json.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\optimization_guide_internal.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\it.pak.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogo.png.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe

C:\Users\Admin\AppData\Local\Temp\032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe
"C:\Users\Admin\AppData\Local\Temp\032732b677aa04c6e15e299417f1bed5934adc56973be92f3a6a6bf937faf48e.exe"
1⤵
- Drops file in Program Files directory
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1826666146-2574340311-1877551059-1000\desktop.ini.tmp

Filesize
107KB

MD5
d9a0e8b908a5947fb3728664fc21d99f

SHA1
e1bf0c13093057d37803de9be9fa21c54253eea1

SHA256
c25d47a252eed8df87d1a963006573257a3aa96ce04ed795356a57e3fa033f83

SHA512
775469eedb2c3043511e07b2383b6b57028c3f9f340a6831c2b228761a16185a59f96ca90768d1bdddc46ecb0b320add9b2e4bf2bce59c280c74abb579bdda9d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
206KB

MD5
757f079903a3d489bfbfc168fa25a79d

SHA1
a99575294eba6e4d95381451a9acad3385520ae2

SHA256
346b6346bec4f11013c867634ebb09f05d2cfd5b6401d7aa7a5bf9c9836a8ff5

SHA512
b1e7790d3c8ee68e124fa91e8eb3c5a94db3d06e4b92a8e34db1df52b7a7b2cb385c6c9c396e49491d7b36b1f129a19275866b92209d837ba7b27668f2f285f6

Download Submit
memory/644-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/644-412-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download