4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
Size

168KB
MD5

8b8f7619d9c06f6167a8c6ba7dee0580
SHA1

61d45145859b4ded93169e88544fc2d2dd649ba1
SHA256

4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0
SHA512

e9bffd6d740d777cec6bd9f498137587fa7a0187c18c30039da07daeae29ef92a1ab1e0a09c42a5e1a6a62843c663c008494b3ba5f9520099e2e53612a1df52a
SSDEEP

3072:+nyiQSo1EZGtKgZGtK/PgtU1wAIuZAIuE:JiQSo1EZGtKgZGtK/CAIuZAIuE

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4940-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x0008000000023244-2.dat	UPX
behavioral2/files/0x000400000001d8b2-6.dat	UPX
behavioral2/memory/4940-342-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4940-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0008000000023244-2.dat	upx
behavioral2/files/0x000400000001d8b2-6.dat	upx
behavioral2/memory/4940-342-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-2-0.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemCore.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Classic.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Input.Manipulations.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationTypes.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationFramework.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.Native.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.Reader.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Contracts.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.Common.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.Extensions.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationUI.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClientSideProviders.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Algorithms.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Design.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Http.Json.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.VisualBasic.Core.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Quic.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.AppContext.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\WindowsBase.resources.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Loader.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.UnmanagedMemoryStream.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.TraceSource.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.CompilerServices.Unsafe.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe

C:\Users\Admin\AppData\Local\Temp\4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe
"C:\Users\Admin\AppData\Local\Temp\4d69cb07645bae0a8810ff2806f9a2af14ba1d0d5ea451da9684101eeb2f11c0.exe"
1⤵
- Drops file in Program Files directory
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

Filesize
168KB

MD5
3139b01af7d06555243d3ca9d7525156

SHA1
f36fb657b5106166fff6acc8cd2089eea80553c0

SHA256
7e4a0d89cafa661810fd5961c3cde86875d6899baa2a60120412f5a16df16470

SHA512
c463f2a45ecf1c29babc4cb40e0cccc073bc0444cd8feb7020e5ff5fc128c4882acfd2a497398dd51a9bc962a4af960d764ecc84a30822212bf069ab80e55e9c

Download Submit
C:\libsmartscreen.dll.tmp

Filesize
168KB

MD5
751cec9fc2b0bc49ebd94b050bb9a442

SHA1
c07b141a102f61456603bb64b97dc4e27f45cadb

SHA256
63559ab32404184dc7791d9fcd975721e76497d1b00df436827713bbc3ea472f

SHA512
99132b1f3ae8a821a7553247881f311edb7325954c6ce26135437e9e1c3c91d867dcf874000fab3905c218ae59a65ce7eeb9da5769e63fc8d6065997e26eaa77

Download Submit
memory/4940-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4940-342-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download