277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
Size

186KB
MD5

b0548f54355655069f0732456444b214
SHA1

709f89fbb2385faeb6a196f104bb2ed1c2ff0dbd
SHA256

277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f
SHA512

378f3e5b199ddf9224ce45d471196c7f305774ebd35b8d2c772decbafee5b0468de70c37e1c2ba92059fec877b03ac71b7890c5319d53b58b24aa18c3dfd2fce
SSDEEP

3072:fnyiQSo1EZGtKgZGtK/PgtU1wAIuZAIuXwFwtdQixiw76y:KiQSo1EZGtKgZGtK/CAIuZAIulr

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4727) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/memory/4032-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000c000000023b4c-2.dat	UPX
behavioral2/files/0x0009000000022970-6.dat	UPX

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4032-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b4c-2.dat	upx
behavioral2/files/0x0009000000022970-6.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe

C:\Users\Admin\AppData\Local\Temp\277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe
"C:\Users\Admin\AppData\Local\Temp\277df6b7e2b08e4d801692aa6182ecbb56d2e7d5701d4ee455f554f9b606bd5f.exe"
1⤵
- Drops file in Program Files directory
PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini.tmp

Filesize
186KB

MD5
f8dd44aa10cf213ba7b6aa59a0f2cce4

SHA1
bfa0d1523f09ffded23d359ee1d94fdde1dba681

SHA256
022b0741735c0160345c4d4849673fcce7df5b1ccef0c8dffb7bda4d9bdbf9fc

SHA512
f697867cd2a8749830a41741272086d1eef416408dc0b841832035554450eb431f6e3f97fe046e4f5f1723d2647c9450bf2532980392b81cb618f32907d83204

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
285KB

MD5
78840754ab4b8c5eb7601037e4eeadec

SHA1
7c97c5dc45e6fe5d1426fae0802b0ee57239bf95

SHA256
7122a6a9de596b984290926346a0d60bd8ebd7cc2430cd06ca0a91bc39381c16

SHA512
8d85a1d46d178a3028b39dd9c4c2482c59c0775c5ff1767fa1aad2b9919d4266af1a069f81ba45f0040896cac60f6d2abb015caa941a9e77e8d66585fc93d8e9

Download Submit
memory/4032-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download