fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 05:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
Size

122KB
MD5

169dab63cc8b5b88788ad8e3d513ef5c
SHA1

2933ad4563fde5b49f963480cfafc50c85d7e571
SHA256

fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03
SHA512

68bb0369b524cc4cfc3b7a425589789cf312b4b151ccc66c2eec29e01c3556f40aa23dcd43ebc962dc4dbd07e90ab0090652c7c4d586dd5318b58926f4f09b9c
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCU:+nymCAIuZAIuYSMjoqtMHfhf5SskA

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (906) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000b00000002321b-2.dat	UPX
behavioral2/files/0x000400000001d8b2-6.dat	UPX
behavioral2/memory/4752-414-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b00000002321b-2.dat	upx
behavioral2/files/0x000400000001d8b2-6.dat	upx
behavioral2/memory/4752-414-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.NameResolution.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Loader.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-timezone-l1-1-0.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemData.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ObjectModel.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationProvider.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.Unsafe.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\WindowsFormsIntegration.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Design.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-process-l1-1-0.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Primitives.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\mscorlib.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.ZipFile.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationUI.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\WindowsBase.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlSerializer.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationNative_cor3.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XDocument.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationCore.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tracing.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Quic.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationUI.resources.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ServiceModel.Web.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe

C:\Users\Admin\AppData\Local\Temp\fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe
"C:\Users\Admin\AppData\Local\Temp\fa73e0e41a45a93f202565e0f51c19aaa0275fb4b60753bc56d02a0d7cfffa03.exe"
1⤵
- Drops file in Program Files directory
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

Filesize
122KB

MD5
d604118a8b55d71c8493e998e552b77e

SHA1
1e0dc554e0bc729155f724562973730b5ffbf428

SHA256
2e0627e8d367f3fc251dc94ea10227627e2bece7de1258c19d92125c7aa90ec5

SHA512
aa3a9ad0210271d57dc1eee07aaf7e361be4d6b25837fdd8c96be6c521794ccfe79226b3c1c80070ae8e0ee95b94d67855742186531eaa390196fcf18a60ebeb

Download Submit
C:\libsmartscreen.dll.tmp

Filesize
122KB

MD5
8a7ca78325dd48b06f9b0ff6567d235f

SHA1
42918ab2a70f3ae83f7eb30b8518808920abfaab

SHA256
5f06df73b1d25d7e08875951fb1bac2188af99a6afdd865aeb495d4cf1908ce6

SHA512
22c6881bb21b80c5493e4fea56478669128d72836d204d4dfac3500607dc91782d799b31f80bbdc8f0b2cdeb9a251e333ffc68570b89db7d375146ca5e78d186

Download Submit
memory/4752-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4752-414-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download