c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
Size

49KB
MD5

700a5191024e236f8dcb99bd155a1178
SHA1

159bc6c59015b14c914f7e042f3180de56f28277
SHA256

c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a
SHA512

9067e4744eca341ffa906d8ddbb7dd07b875a13fc3abe07bef4450e2b0a3ca0aa515c4e0333b61c20379704b0f6af63679c1995a78c130da52929e1d0bf4fc8d
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFaC:CTWn1++PJHJXA/OsIZfzc3/Q8asUsJOE

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4853) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/232-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000700000002328e-2.dat	UPX
behavioral2/files/0x0008000000022970-6.dat	UPX
behavioral2/memory/232-990-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000700000002328e-2.dat	upx
behavioral2/files/0x0008000000022970-6.dat	upx
behavioral2/memory/232-990-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\cs.pak.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\external_extensions.json.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\manifest.json.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\et.pak.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe

C:\Users\Admin\AppData\Local\Temp\c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe
"C:\Users\Admin\AppData\Local\Temp\c21da97bbc7d5d5cdcf1af4071302cc2913cc3d4e285dcd323482e2cc9369d0a.exe"
1⤵
- Drops file in Program Files directory
PID:232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
49KB

MD5
e8e412565da98acef57717938e21bd66

SHA1
ce063145e48a20b77bbbbe66b9531e7c0e7c9117

SHA256
dbb97e92687105625e0b20475863680c46a7e1b4b93f7f2620385b5d3730f9c0

SHA512
96e6f058b1cd10df0ae933f10b2b382f99b6e3814210c3bca848bcece53c251a4b2d7ee38a0e574c616495da2732110b98fc045d5b3868b840aa9fb5846bc772

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
5e36a214c1886199e56c68176c6ef86b

SHA1
66bd5d5b0450893f9d274669814eb98561e5ceab

SHA256
faa0051682d1d858fd6c6952a6a98b76d72bd70e9981a7e5239c1ce84aa14219

SHA512
845877bee709f3e40217896b1545085d7c20eaec1f479e5abe1715f02aaf220cd9332a004f188ee8b6002a6163e7b64fb992c2d07f1d0352fde3ca1ddbabb210

Download Submit
memory/232-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/232-990-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download