5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
Size

102KB
MD5

29d3767ef88196c098e863769336bb7e
SHA1

001519b2e1e71c825e0d84c2fa7e9621e720e1f1
SHA256

5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366
SHA512

dbf2d59d5d6bf64ed490b5f2400637e8b8e4cf2187a0606c13fa4779fae4976417498457d715b871da29ae97f1823bdbd3cc86e86160cb2ecc0e91ca74cf8262
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfKZ/:hfAIuZAIuYSMjoqtMHfhfb5o

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4843) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4468-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000700000002328e-2.dat	UPX
behavioral2/files/0x0008000000022970-6.dat	UPX
behavioral2/memory/4468-858-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000700000002328e-2.dat	upx
behavioral2/files/0x0008000000022970-6.dat	upx
behavioral2/memory/4468-858-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe

C:\Users\Admin\AppData\Local\Temp\5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe
"C:\Users\Admin\AppData\Local\Temp\5bd4e2e9970a85cb1efdad09948873ace64cb4cf43da14f774f7bd53d89af366.exe"
1⤵
- Drops file in Program Files directory
PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
103KB

MD5
a212b89f2f0d236bd90e7b058faaf1cc

SHA1
67b53291c3bb3220fe0856a07c995c85176535eb

SHA256
52ff920edbe2c54af231ac143628eb1ddc7ae17d54eae4f61cc3d01bfd98a2dc

SHA512
ffeece0c5b07179c2b141d53a44029319312a59221b14c7dd1019a1add96f48cb34b817d6ca78b4e4107b890e9c93d4d2c82b068419012e088ae2b20f874d8bb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
201KB

MD5
b5296b93932240a6aecf3e4f6eda04e1

SHA1
018c58f831cb088a57d1cf28e2728a13c7cc1bba

SHA256
8efd96dcb5d5992432edc60d0d1af3ddecd98491d10f47f5360375eec2cd9db0

SHA512
a32284dcd09675dc165f95b9f22b396644dbe2516f699407f4f86c743ea382cc472d7626adf09e45b3db2acf4af315b8e8b5a1595ad62debc7bbcf54e1c1f836

Download Submit
memory/4468-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4468-858-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download