2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
Size

1.3MB
MD5

70da2675792cedd8835fa6cae92e0ba3
SHA1

0adaf85187481a37fce5549b1b58f0bd3cd9346b
SHA256

2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb
SHA512

ab109723e9b3aa42859fdfdb5731140cb5f4e9265b6d9c6763310ad9dc6485f832111601a1a09ae652e336c118bffb06c3bbae3d4fcc05b22d34f444956ce1fe
SSDEEP

12288:7AIuZAIuOylj05a55PJQHbuZ/kPlWzsiqL1SWb3bqnw6wNHy0N0/AnQ63zg2nzTD:Iw5Qyc+Aqw6KH+AQ6g2zTHqjMaK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3972-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x00090000000226e8-2.dat	UPX
behavioral2/files/0x0009000000022975-6.dat	UPX
behavioral2/memory/3972-670-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3972-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000226e8-2.dat	upx
behavioral2/files/0x0009000000022975-6.dat	upx
behavioral2/memory/3972-670-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\vk_swiftshader_icd.json.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe

C:\Users\Admin\AppData\Local\Temp\2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe
"C:\Users\Admin\AppData\Local\Temp\2f4aec9efee3b5924c9cb17b4a8b90c8bde8ce06facc55e7ce8722886cfaacfb.exe"
1⤵
- Drops file in Program Files directory
PID:3972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp

Filesize
1.3MB

MD5
6b4c5c1c0d7d41cdd7bdd3607f393bca

SHA1
c85d79300d9aade927f845dc004ecdac1f682378

SHA256
99decac39f27917c15b10f1ceb40095a827f9ac48ebdbf3e55596c9ad3213ca8

SHA512
bd1e8871cedd802cc063e6d63da982233d256d3251babe230117e2b546a64a7d825b2d51e968021d305699b7f3082744623e1ef581f3ef596d324345fe44eb18

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
1.4MB

MD5
d99bdc44058f7177360e818ade0341ff

SHA1
8971fe53f2b4e68767b32c8b537bb7b515131303

SHA256
8ecf430e636b081a3ffefa58362878d4ee87f794b9714062806aaf96f7f63d04

SHA512
e04af5a317fb7a35a30cb9da0262d1db693407b4fd89f31c23d55a6495ecb94315eba6844563340c5477cce8ea00dd2d6146e1cdf5e1778911e818c6504450ae

Download Submit
memory/3972-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3972-670-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download