185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
Size

107KB
MD5

4716b896173bee922c797693ffeadd91
SHA1

f7000396d620623bb43386c09bc83961879ae624
SHA256

185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110
SHA512

ab925043ed943579c96b95ce025ec140cf810395ce40fb6528b88255216bd205be87a49999fb861c8ab4750dc7628add6c7036730b4515e7ad49133ea90190fe
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfS/B:hfAIuZAIuYSMjoqtMHfhfqnB

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4840) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4372-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x0008000000022f51-2.dat	UPX
behavioral2/files/0x0009000000022979-6.dat	UPX
behavioral2/memory/4372-942-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-2.dat	upx
behavioral2/files/0x0009000000022979-6.dat	upx
behavioral2/memory/4372-942-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\ConvertFromClear.css.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe

C:\Users\Admin\AppData\Local\Temp\185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe
"C:\Users\Admin\AppData\Local\Temp\185734612dafd25162c0b3ebba015c9b20699b8bfc9c8cbbb959bd51ca56b110.exe"
1⤵
- Drops file in Program Files directory
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

Filesize
108KB

MD5
eb509890a67411e3890f968efbaeb3ae

SHA1
037fe65f52ee59858b5c9bc0e89df37707131753

SHA256
81cc7fc3fe0abb73b17f7879e809ef4f0d7d4c14d7f3e63948d3d1ae8b25b2ba

SHA512
c5fb8e25fe2ba9d7fbb3712b2748b454d10388a5b0d1a569e40e30d10a074e66cd3f8202a069f8cacbe2c1d5d0d4da4d1e3bc5b6b24a9c71320056db29de2e89

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
207KB

MD5
07aaf752a932e2a48c6cd6877833cc6b

SHA1
a0106b797caf1f05454a16413d1918c62d918fd7

SHA256
e26c8a59ec3012efb41c23a9e0c289832db29902706de11184593561042ba00f

SHA512
cfbb7521046ef56ce1f64fcc16420581d2f4f19d1ae028b69d9f64fcd16fb711d9103282a5ea5152a439845393236d5a16d0348e29d13442965f8abed7a9b2ec

Download Submit
memory/4372-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4372-942-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download