e27d09fa30ac00e7863ae318a349de4110626fdfa9423b7fad69666d9585def0

Analysis

max time kernel
150s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0da4c3deeda85016c3e7e5ed4bf9875.exe
Size

641KB
MD5

f0da4c3deeda85016c3e7e5ed4bf9875
SHA1

5d9deeec7ef92224766027e609c08a8bd08e0661
SHA256

e27d09fa30ac00e7863ae318a349de4110626fdfa9423b7fad69666d9585def0
SHA512

cfab1e334fb0cf58b5b8d29257228b182812c4584fa17829a01add4a628304d143e0957ce5b6d6e322c69974a1d6f633c1bb97cdcba1d4a9e631b9942ea980d7
SSDEEP

12288:AQtyZGtKgZGtK/CAIuZAIuM2lWRPWhA9PRWg9K:AItj2lmW4RW

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3117) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2060-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b52-2.dat	upx
behavioral2/files/0x000800000002295e-6.dat	upx
behavioral2/memory/2060-1098-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\pt-PT.pak.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	f0da4c3deeda85016c3e7e5ed4bf9875.exe

C:\Users\Admin\AppData\Local\Temp\f0da4c3deeda85016c3e7e5ed4bf9875.exe
"C:\Users\Admin\AppData\Local\Temp\f0da4c3deeda85016c3e7e5ed4bf9875.exe"
1⤵
- Drops file in Program Files directory
PID:2060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini.tmp

Filesize
641KB

MD5
1d2cf1dfc77cb5b45b267e45d5604b9c

SHA1
d04dc22c14e974efa128c05d77fc3a23e5cd0319

SHA256
ce57ae104d68181b9fe90b77753503062d11c49bc0a667da21f179546df0bc04

SHA512
2d620b19e935025d33434d73cfc725204eb4625eeed4fa5ea893fd005af7b3df7ae8756366bf0135c2f62e5ce94d38e3cec33ae9e09aadff588ac8986b943bde

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
740KB

MD5
5a0cb06c20253d09419ecc6c68e366b8

SHA1
e16a739e452ca7a977633fe371a48836f043157e

SHA256
8f3e7076ae2089369c0bf32d7034cad3efdeb8bd6f1a97795a5fe853cddababc

SHA512
2ec7bab9ad950bb04a14ffa719bd97127de4bc4721f4d7ac9b944dc18bca96488fd15781bcaad96b92c65cae7ae8c236775bbaab83c1a82807ec0aafc5958f76

Download Submit
memory/2060-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2060-1098-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads