d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
Size

147KB
MD5

4dca2682ab1ccdc4ae8f8a74aeecdea4
SHA1

059f6ad8b0fea3ea41085036ace3d00a26cf6160
SHA256

d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6
SHA512

69b280857c072976452b2e42092cb7a1202f2d04c49212a25bc3a0a40a2a9b950e0403deec6e288a952e3cc262843bf5d5fa11e68bd26ca783a6e72373189274
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhflixihA9HVTXTe:JmCAIuZAIuDMVtM/HkH5XC

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4847) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4636-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000c000000023b4b-2.dat	UPX
behavioral2/files/0x0008000000022969-6.dat	UPX
behavioral2/memory/4636-1652-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4636-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b4b-2.dat	upx
behavioral2/files/0x0008000000022969-6.dat	upx
behavioral2/memory/4636-1652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe

C:\Users\Admin\AppData\Local\Temp\d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe
"C:\Users\Admin\AppData\Local\Temp\d84d0cc02c20c872e61c6276ebac6d584480262b19d6b2b7de51758009accbc6.exe"
1⤵
- Drops file in Program Files directory
PID:4636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.tmp

Filesize
147KB

MD5
decfb01a0adda14319e1b530f6103ca2

SHA1
429515ec79d9ac8f267d0ab567410759c18695b6

SHA256
ad02d025519c0c1fd1a6b24c7dfdd526eef34586f3cee8a8ee2a6f58764d7d40

SHA512
f02ef0e8b7f0e1e3490a0b92e0da6964d6aecd9ff077d2d11db66e41128538415c5e13ac176410cbca4755187ff6d7a837d9bac6021c6e696ccac3e309faaf3c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
246KB

MD5
55b8a7a296478634ed1f67d02f43f9f5

SHA1
c67cb8c6239230e61b1cb2afc0ad7c92114ccff5

SHA256
b493e296e7e595435d71767464f892ff72b4b126b99d021cb7dbc955d45ddae7

SHA512
6addbe03ba896a5691d607482ef2c45cf23758ec0b4a6cf6879f2b3d9be2f734cc080198c3fb068527861c024652ea4e4787b34fe4ac272be0f72915a5f8aae4

Download Submit
memory/4636-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4636-1652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download