626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
Size

2.4MB
MD5

7754a92908a633a0f2287abfb427bfdd
SHA1

bba8c6c4d71102ac2391a09241c05ac7171544c5
SHA256

626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0
SHA512

5919afa41189b70ab2cf8e6c89e456673ae1c41b64cc8ef8087071c1ff03420666231d278f9a7fde64437f7a1b9154b9a37214d7c8228de01fadc654c21ae472
SSDEEP

24576:AItTItD4aFEDgI5hihF6cLYlrV+UdQBVmJzwc5uxVJ32E8p0cESYSV7fs4cNbxHT:AWBTRzroUdQBVmJzn5+j9lsNG7aFBo

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1263) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1552-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000d000000023b26-2.dat	UPX
behavioral2/files/0x0009000000022970-6.dat	UPX
behavioral2/memory/1552-466-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1552-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000d000000023b26-2.dat	upx
behavioral2/files/0x0009000000022970-6.dat	upx
behavioral2/memory/1552-466-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe

C:\Users\Admin\AppData\Local\Temp\626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe
"C:\Users\Admin\AppData\Local\Temp\626622d41ed6001c0c92bb2f9cbfaecacdd04a743901e94988491e0e69e97af0.exe"
1⤵
- Drops file in Program Files directory
PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini.tmp

Filesize
2.4MB

MD5
549da095599c4c2c6687534a8cd15429

SHA1
61043b5fb161497456cf1940c6e11bf0feaab0c0

SHA256
a00318ca88bf8b205d10fd6c793326d0bd0a498e328230aa7042e1bd46f0d660

SHA512
ec80a109e9203ec56baa855b8f13c67bd6fd4dcae398a5ccca61fa05ab530713d1c1f578708f4072a0e5185e6d2549ae685e710a6a5e0425f7bea2200658593d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
2.5MB

MD5
f57d554d8b4dc2f52978eb13517e6b43

SHA1
a5567c483f6b9fc675a25afea3e7b80f31894819

SHA256
b3bedb1bddc1f0de854b970a707e8614d3ad3be762187e544cf0732a28c65c83

SHA512
0b6c2098579c51672887c38d8f8934afd67cce8016b301140d4ee818483ea4bcd7dea386547d926b00df295d12fad7738e6faedabd096d19137a80f8b9e18d0d

Download Submit
memory/1552-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1552-466-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download