16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 19:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
Size

167KB
MD5

6f43311f97af307d4ad862e797439728
SHA1

ecbba5bae582839fe81ff3f4b9492f553182f848
SHA256

16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c
SHA512

596ce9596d9fd432de416624e85dab75ea6255b71aabd57b1146efe47174769a9f2906ce0845f1bed35ddd3bce9c6bdd480bcc96acc99a2ed16429e6ff80a6e6
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q1pkMJ+ZGtK1+ZGtKQNMdTajOtGtU1wAIuZAIuJBd:KQSo1EZGtKgZGtK/PgtU1wAIuZAIut

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4715) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1072-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x0006000000023270-2.dat	UPX
behavioral2/files/0x000a0000000233b6-6.dat	UPX
behavioral2/memory/1072-852-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1072-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0006000000023270-2.dat	upx
behavioral2/files/0x000a0000000233b6-6.dat	upx
behavioral2/memory/1072-852-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\id.pak.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe

C:\Users\Admin\AppData\Local\Temp\16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\16e34d1c02ff1cc055d035d5a751e97fe6aff7fb6b58519bbfb78961d1a63f8c.exe"
1⤵
- Drops file in Program Files directory
PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp

Filesize
167KB

MD5
a8c60018b05caaec509409e0881790e7

SHA1
91d74b61dfc225f148752ab028a24211e4362e31

SHA256
b6df8eaded6f7fc80fe2f3b42a00d66daeaa52c961b2d8e6dd80c3ccc34f11d3

SHA512
464572133deb58dd8253e371e437d7e121a5f47f80fdf509b3b996c122483e9d626ca9b00f64e264f6190bfc2d26da9b7b1c3f6da6ce58e25ddd444aa93cc5dc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
266KB

MD5
eefb5ec5c246455ab3ab0e07e5237560

SHA1
a0d9f34a794a16b83a697a2ae67ef7326b0390b3

SHA256
aa81cba001bfa4c324e6f0c03e1547036cce306a25bda11ee096e90295e6833f

SHA512
4446a48ded3ebec7cd44e5603d8b052fcdba4c0e8dc7e567fdaf02e4ee762669d239975f49711d9476ab63f2f3097cc9c073a57eb33e1f1ad15478e9c7b2a564

Download Submit
memory/1072-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1072-852-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download