a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
Size

112KB
MD5

07d0d1e203a1cc0814727763c3affe6b
SHA1

492c356635f07d571963f2b00619354abf82fc8d
SHA256

a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584
SHA512

6b5276b82ad63703dc2188471a59fd4c96862c7be3ac9e291b9a4131bbe1b824f819ff3496ed0bd35ce957b3935225c43238614ff5102612943f521eb21e71b5
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hf0x1:hfAIuZAIuYSMjoqtMHfhfg

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3492-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000b0000000232f0-2.dat	UPX
behavioral2/files/0x000800000002295a-6.dat	UPX
behavioral2/memory/3492-1034-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3492-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000b0000000232f0-2.dat	upx
behavioral2/files/0x000800000002295a-6.dat	upx
behavioral2/memory/3492-1034-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe

C:\Users\Admin\AppData\Local\Temp\a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe
"C:\Users\Admin\AppData\Local\Temp\a9a45ecc8b7d594697f0538865a0cd1f284b9fb6de8c112b84bf1c79257a9584.exe"
1⤵
- Drops file in Program Files directory
PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp

Filesize
112KB

MD5
98d43e1575fe22c9d9b71282b4b4153d

SHA1
10f30173a03b2c2bf88820ba30cacc50a3b8f90b

SHA256
b83eef025df158431eb9927618036673c883381d8b010002eedc9c411517ed0a

SHA512
bce3f48404102d7800bdf4cd057bd3ddbde7d0d4488d7cd2a0e743e6c0f605f13ab78928c9c09a28f740c257e83e3fa3de2218167204514107a19143faae5c57

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
211KB

MD5
b7b0cc9a997ff6bc5f99b175003cda14

SHA1
c1459602beee107855b0f5fa2206b4cda9402592

SHA256
c44bed9a87cb1db0f1a32cbbd1ecca09f5107e63bb388ea8e53043cf7bceede1

SHA512
92f857eacf038fd9b4a4d5b6c9f6ce1bee4256838191777c099ff0febd0b8a4e8e5c1d9cbbfa21fbd36e928830acb0d5456ea780b649d27f6ea061101ec5fd38

Download Submit
memory/3492-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3492-1034-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download