f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
Size

38KB
MD5

c8788c6e2cbdfc2f868570d423166bc4
SHA1

9a674083e94268e2a325f5171798caa055b7da48
SHA256

f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed
SHA512

dd1fb9d4bb6af39f2db1cf464b1368ad16594f6f60792dd2efaa7da4473e8c19c325618e0d66c07cdc2ce254ced8d5b6af891d758c6a483fd261238cfc7e9b87
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uA1:CTWn1++PJHJXA/OsIZfzc3/QM

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5263) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3928-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000d000000023aee-2.dat	UPX
behavioral2/files/0x0007000000022971-6.dat	UPX
behavioral2/memory/3928-882-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3928-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000d000000023aee-2.dat	upx
behavioral2/files/0x0007000000022971-6.dat	upx
behavioral2/memory/3928-882-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe

C:\Users\Admin\AppData\Local\Temp\f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe
"C:\Users\Admin\AppData\Local\Temp\f5012741a116a4128fde6082553bf38a0f4edb9160ef194dea5fe08cc446caed.exe"
1⤵
- Drops file in Program Files directory
PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini.tmp

Filesize
39KB

MD5
6c4164fa96c8a82f934a347cdc91f071

SHA1
6e30f759e97b20215d36bbca4df52d3d709f976e

SHA256
93f44bd2221ea9bdd9e910730a9abd71e8ded4b90dd2fe2c6814fe9990846059

SHA512
ebbc77e021bb36ff2fc78c022c931ab9a3e03d59a6f8c70544d8c97acbec9b721543250b341260b3ada22e7ce8616bb12a0b7c62196c6b4f0dd4197d502682de

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
c0d65c8ad312a3f1799c57d4e320ab33

SHA1
1c37fee2d35707507b6d8cb9ff06d66930c2043d

SHA256
42abdb71b5c8177c70589c4880d79adc1e0b9f84ba1a589e98aa3ef92f1695e4

SHA512
940f318e5c0e2f5633a527a45825b88dfc7e14779deb4a2270a04681ffe84e2c57d4f3719465dc6a4f21461fee13252c9e1604e4645bda3150959c62da014ad5

Download Submit
memory/3928-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3928-882-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download