d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
Size

72KB
MD5

316c490e6fe6ab493b6398c50cdde555
SHA1

72447f4ac07e51625fad397ddc6da4b0f74bfec8
SHA256

d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27
SHA512

6966610e89de9a785d3d91f258f18bf14b697cfc2d8e214041c1b0bca4e88d6f854ef8b16aac8a20105984a3c7f2a33b36880726ebeaa3a00e11ff1a5090e6e1
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJJ+T:+nyiQSo2

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5148) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000800000002328e-2.dat	UPX
behavioral2/files/0x0008000000022970-6.dat	UPX
behavioral2/memory/4820-1802-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000800000002328e-2.dat	upx
behavioral2/files/0x0008000000022970-6.dat	upx
behavioral2/memory/4820-1802-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fr.pak.tmp	d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe

C:\Users\Admin\AppData\Local\Temp\d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe
"C:\Users\Admin\AppData\Local\Temp\d17daa2ebe1ec584e79de48e03402cdeaabd9d3b00c65664ba516ea4dde36d27.exe"
1⤵
- Drops file in Program Files directory
PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
72KB

MD5
4ddc5be5f7b036dfe1c9580810875e9e

SHA1
62b83127b340c978531f62b08f4b0ccf39e7154e

SHA256
54ba0fbd604ff98ddda2293a56931610059279c28f592be866bc1889f532a557

SHA512
c945ee3780c3a36421c7194318390c78e295f13077655d64c016363ae2f1b3b0a9710a357b463c8c028ed8763f47a601b0388e1a82273fe4c8e6ad2cd19b5ae1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
28b1a213e7e356caf701aeb2cccab509

SHA1
055e6aa08e9a08f8819e9d9832969e842da8b962

SHA256
f57e9717411299c7dfecef38d52870970274b046feff8bbe001fb832f5ec3791

SHA512
eca5beafcb8125590e1e4cf1eabf796401b840ea13035ac184db1b714766413887c57ecfeb5d8b617679b1e7bbbc27ae6865ec3330faf60b9de31a39dfe1df23

Download Submit
memory/4820-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4820-1802-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download