d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 03:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
Size

104KB
MD5

895f7ca06ed22e5cb583124918314221
SHA1

8c4407be5a07fe8236ff69b5dcb22329e0e9a024
SHA256

d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1
SHA512

63a729fb52f581ef6402adb92197329ee9dce47badca55f0c90c7ff48dc102f979647a729c2256b426247fe0f23cd1b7d35f90436042edf534b7366bff25b745
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfMSG:hfAIuZAIuYSMjoqtMHfhfm

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5020) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000600000002327d-2.dat	UPX
behavioral2/files/0x000800000002294e-6.dat	UPX
behavioral2/memory/3040-1068-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000600000002327d-2.dat	upx
behavioral2/files/0x000800000002294e-6.dat	upx
behavioral2/memory/3040-1068-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\History.txt.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe

C:\Users\Admin\AppData\Local\Temp\d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\d4d62bac428de7c77d872d6979f559a83600362aac7d650336c48bf82563e1c1.exe"
1⤵
- Drops file in Program Files directory
PID:3040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp

Filesize
104KB

MD5
6ea414ef38890c168f8a0e5c12c6e7b2

SHA1
b4b4949bcbc7447cba337ca2387b8ddc60ce2677

SHA256
6932be8e36b291ada4fb99412794597809d85d856e6038ec4b01414df5af4d51

SHA512
8c718e249266280c27a0d55b0b642c1151f364fe0cee6c28e227f1b26b6f9f3cb8d173006b02fcebe8174791701d4d6509a391cb4dbd4027ca285ccf594912de

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
203KB

MD5
593de83d26d28dfc9fa550bcca372997

SHA1
a039a0bb21f4b8caa02816de73e6878e19fda0b5

SHA256
2f3334ffdbd878c46e5f27694ca2a3991eee2820ea10f36fe2f496968eff28ae

SHA512
519db20a9ea3bc6f860d57082523675687b60a22a598affaed08d3493ddc429013001f42cc33a2f009c400d728cc20cb21ed23040f189f4093dc786570a27970

Download Submit
memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3040-1068-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download