bd5c8dfd0db5246615b42e34b1c0392a9d49ec96af9b99c871fa8c34537d9a9e

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

597f83712b354c8de354dbd0cbaaab1b.exe
Size

129KB
MD5

597f83712b354c8de354dbd0cbaaab1b
SHA1

b9495dad2dd4b0bd426c8ae8585dc7545871be42
SHA256

bd5c8dfd0db5246615b42e34b1c0392a9d49ec96af9b99c871fa8c34537d9a9e
SHA512

26a860f42ab457cb83408fdc75a503f49b7ae86ecb9686ddfc6932375fa71613dc859104beeb9c03445cab02d15499cb95e12d71f0f1dda859a1ee9d87d4c781
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCt:+nymCAIuZAIuYSMjoqtMHfhfk

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4718) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/448-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00060000000232a4-2.dat	upx
behavioral2/files/0x0008000000022996-6.dat	upx
behavioral2/memory/448-1600-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	597f83712b354c8de354dbd0cbaaab1b.exe

C:\Users\Admin\AppData\Local\Temp\597f83712b354c8de354dbd0cbaaab1b.exe
"C:\Users\Admin\AppData\Local\Temp\597f83712b354c8de354dbd0cbaaab1b.exe"
1⤵
- Drops file in Program Files directory
PID:448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

Filesize
130KB

MD5
32a5eca3cfbef946f1540a5f4b9e323c

SHA1
d0b0bddb17fb1c85f568e94a33d329f3d912e24f

SHA256
0db09bb99e76cedc97572b7f4fd97b66ebf67ebcc4ba5023e0fbcb450ab83a5b

SHA512
bf9a0bbe1f00127e53922d7a2dc1d1e92aa029501ad7e845b5a0e41fdd78ee1c878cf512d47fb391602a2cc4ebcdbbcc7024b8681fe6d2199eeb9c19b13a579a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
229KB

MD5
bd5b4697fd513963120ca614f1905565

SHA1
184eded232480a9383dd7692b14ca8438964e5d3

SHA256
64ada5f86d7cf54b41b4d26cda7d991b5b50e0f779e43dca22defcfc24e76967

SHA512
685dedda61e174d7ccbfdc06523c9a23701abfb7266ecfc0ca818b5e7df643e0438f6a23b924a8a329be04dedc63c40adf0a34ee052d17e8ab7b0ddb16cab79c

Download Submit
memory/448-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/448-1600-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads