bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
Size

127KB
MD5

3837d49e71ab0234325ce429fa22be8f
SHA1

59c67c47ba36bbf047fad856e69ac5fb5d4565ae
SHA256

bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b
SHA512

81ce955f4096b7e9e74d1ba2c739b7e8209a366751f75d07ffd5cd867e13324df9b23d1560e02eb58f1454a7f4717d857830b4b2adee78a75051a66d544bc337
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCi:+nymCAIuZAIuYSMjoqtMHfhf5SskG

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000d000000023b99-2.dat	UPX
behavioral2/files/0x000700000002295f-6.dat	UPX
behavioral2/memory/3224-1690-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000d000000023b99-2.dat	upx
behavioral2/files/0x000700000002295f-6.dat	upx
behavioral2/memory/3224-1690-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_200_percent.pak.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fi.pak.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe

C:\Users\Admin\AppData\Local\Temp\bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe
"C:\Users\Admin\AppData\Local\Temp\bc79958373d59c8d46ce20429c86ce9e19862ce788c701008e11c2c90530497b.exe"
1⤵
- Drops file in Program Files directory
PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3411335054-1982420046-2118495756-1000\desktop.ini.tmp

Filesize
128KB

MD5
77810c6102aa0402a41043e38b66af2f

SHA1
613395189e1e87f33f3746c946d96df9360537fe

SHA256
ce082aade581105e22180bd989b5b5e837cae0ef699479a93c4b44762f41758f

SHA512
01acc60edd3992b5a203b0ef8dfb9d0ce03fa134dfb766970f3b37f78f6bd18ea1d956cf704b7113ce32e95c4068e9a971caa04be39c58d9202d031d94662308

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
226KB

MD5
ad758b6bbb879ab4ab7e82e7573af743

SHA1
169e20555f8fa9ec33d1e2ab85ce3c50c9fd67a7

SHA256
a705019740b464751bdfdf45bc1c7171ba08ca262ed21e5b39b666da673fac67

SHA512
670af419838503b0e2267b0793d8a04d4b42a5784b44d49328359a77a8c48bdc928e463c13a46c13f7fad5e143160a945bc248cef328f8aa244c4f5c87c6b0f5

Download Submit
memory/3224-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3224-1690-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download