d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 03:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
Size

97KB
MD5

0a42f3d5b4aee5309c51622333bcb537
SHA1

7c6005b76655815b07e252354f093e69c00e8a29
SHA256

d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9
SHA512

444638deed86beb33a072cf6a1deef27452b987248e47fb4fce7fc481887c97480d96a933965afa622b6378cfeb59e02add8ba911bd0c2e571cbb847a866244b
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hf96U:hfAIuZAIuYSMjoqtMHfhf/

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/2948-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000d000000023b1e-2.dat	UPX
behavioral2/files/0x0008000000022969-6.dat	UPX
behavioral2/memory/2948-826-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000d000000023b1e-2.dat	upx
behavioral2/files/0x0008000000022969-6.dat	upx
behavioral2/memory/2948-826-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\lv.pak.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\icudtl.dat.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sv.pak.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe

C:\Users\Admin\AppData\Local\Temp\d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe
"C:\Users\Admin\AppData\Local\Temp\d8845ec553709dea1b3a302c57e1717d470ed156276125366069794d29e599f9.exe"
1⤵
- Drops file in Program Files directory
PID:2948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.tmp

Filesize
98KB

MD5
3336eda460795621064db732b4ab9919

SHA1
8a544977abee57c94507898bd7dff2fa72061140

SHA256
a9d9d365c7dd00c12a27e09dbcdaaa083b76b9b765570a78e67426ef54bcce58

SHA512
ea0671d43e3c41770da56df0fc089e1209f734854c9acedbce7d78a7b6749e3a01bc0fdae2573bdc8b11ddaae5d5bfdd3265b665dfcdbb78ca2a5590c8bfce41

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
197KB

MD5
b49dea0e15a721fcc2cf395aa3033c07

SHA1
55bab42e4562d480697c062cda6a941ee2cc048a

SHA256
dce835a324c9ce38ba0c4f0355dc6d149a72ace6d1bc623f4f28e2fbf5adb2dd

SHA512
08d74d4395b92c26d2ca7f675adf52b55b266d8aaf3ded0f7f92b47510be0f5cdcad690121e8e1e36ed0616c7441edd0e8f1481f0262d255f078c1bef8d04b42

Download Submit
memory/2948-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2948-826-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download