c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
Size

103KB
MD5

e2d01fdff3134be581bdf24b4416a414
SHA1

accf13225735862a98040b6b506e46e0e5e67891
SHA256

c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61
SHA512

08576fc4e4b343c180f29e12c916068eb3ea8baf9c7b9b6a9923798bdb74004d768e7958a1956eaa1b7eba1b04aed35e189d02149af504489a8adebd435a0d63
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hf0xW:hfAIuZAIuYSMjoqtMHfhfH

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4692) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/932-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000600000002327d-2.dat	UPX
behavioral2/files/0x000800000002294e-6.dat	UPX
behavioral2/memory/932-860-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/932-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000600000002327d-2.dat	upx
behavioral2/files/0x000800000002294e-6.dat	upx
behavioral2/memory/932-860-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\vulkan-1.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\mr.pak.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe

C:\Users\Admin\AppData\Local\Temp\c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe
"C:\Users\Admin\AppData\Local\Temp\c86277b0f432cfa8ef56e07a6c1ea7f4872d5fa1b2ff417a7d6feedf867eba61.exe"
1⤵
- Drops file in Program Files directory
PID:932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp

Filesize
104KB

MD5
0c2f5dc3d3630d5273f11f2020d1c525

SHA1
b1a4952cbe973cd971a8ced9bd09ddc13098cd52

SHA256
439b9ede0a4df4dcab89bb8a2073e7d172f46792fd814231f9d88c302058ea61

SHA512
a0fd6d1c81b954515a02cce459409944871ac6028b9ac252d6aaca4fcb27574576a011fcc2c44c65f098623a0fb90b9859d872ba5aa5d10f99192589003944e3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
202KB

MD5
fa0c34ed7800e1c259a3a1fc29b2f178

SHA1
551f4b7b565ac7cc9e45a33f28205d5c8afd7d8d

SHA256
05670bf1e0e25ffb52a8637edc215b42e3dc8c1bf2fb281a01654f0bfe1a8209

SHA512
b101d895d0775ef15d5f5056c195d17e279d82b9a0acf6e5311e0bec70ae172dfe46e0eb34673e8b4c881c25e0c7f6e2af2ed1ea12ad783ab6df1479c1d09528

Download Submit
memory/932-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/932-860-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download