29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
Size

104KB
MD5

5a405e124a4770317de4551f8bc85278
SHA1

9a853c19410bd88240b8d2085410d7b43bbca3d6
SHA256

29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3
SHA512

d4ffac4fe63f040b28446b9944412ec00a71cd457b3e6cad07407f897c2b2eab1532284d7386e399661432afef55360147a1938628536b72763593f69646fe79
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfC:hfAIuZAIuYSMjoqtMHfhfC

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5003) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1624-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000d000000023ab0-2.dat	UPX
behavioral2/files/0x0008000000022969-6.dat	UPX
behavioral2/memory/1624-820-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1624-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000d000000023ab0-2.dat	upx
behavioral2/files/0x0008000000022969-6.dat	upx
behavioral2/memory/1624-820-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\resources.pak.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoDev.png.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fil.pak.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe

C:\Users\Admin\AppData\Local\Temp\29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe
"C:\Users\Admin\AppData\Local\Temp\29a6b4feed372a138543baf663892aad99f02e8911c380a215856eec5a036ec3.exe"
1⤵
- Drops file in Program Files directory
PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.tmp

Filesize
104KB

MD5
0fda6ac653625ac78fcbd40c0f0e0d0b

SHA1
b990277dc432313a2bd56e540531a26b44c94d88

SHA256
f089bee927b4c5eba87a87dbdc6bcbac8d06f999c8b2c58dc746b8797fabca08

SHA512
5a936703fe7fe503670026b1f148d2b37559c779cee9407c59da24267ee8541c006d6adbe0177bc2686c9f5ebebca0bec352d3274f97b1dd4e2062f8e7d1e654

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
203KB

MD5
2438f69a4fe305b4061dbb097e7dfbb0

SHA1
3c0333ba7e21d8c5a316fb242039ff4171a4bc13

SHA256
82e9c558b3d7cc404b20c9d98a09c675611c8ca0ad48304f7f0f4bc851294c48

SHA512
870d04fb5dd0198a35a5e2156568f0e2c5bb57fcd7f045fc7c81e50c3820e2997f2ee954705514343038c61ba0e5ed6f3d819c61764319d1e3e9aabe04bdcb58

Download Submit
memory/1624-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1624-820-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download