cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6

Analysis

max time kernel
150s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
Size

71KB
MD5

924823d2d6ecf7aee10096f9ec44c25e
SHA1

30cd8822a6647f14f17e38568e4edbdae38e25b8
SHA256

cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6
SHA512

93b856c76668dd7d50f5c62c3952974048fe965a48832fd4491aebb08ff546dfc7710bbe798e71a4018c1ecf3cd706f65716e762221dbc5685957d0a048b1640
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFmzWzXUK:67Zf/FAxTWY1++PJHJXA/OsIZpPEIUu

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x0007000000023305-2.dat	UPX
behavioral2/files/0x00080000000229db-6.dat	UPX
behavioral2/memory/3968-1776-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0007000000023305-2.dat	upx
behavioral2/files/0x00080000000229db-6.dat	upx
behavioral2/memory/3968-1776-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hi.pak.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe

C:\Users\Admin\AppData\Local\Temp\cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe
"C:\Users\Admin\AppData\Local\Temp\cbcfd6b5c1e1aeb9dcd174e7a221231b2895658489e241c542bbee27e2e670e6.exe"
1⤵
- Drops file in Program Files directory
PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp

Filesize
71KB

MD5
a3305633f0553cc231b1e33366683393

SHA1
9b440fc5c9d5e3dea1966145f16d4a53ae37b29f

SHA256
956a782f3bce14923782bb3929051f8831ad6b86409fd4ef36de8bce16e17c1f

SHA512
371fa1fcc02ab841f134533f224eedc019b9a07868703c0a51b52bb0a469eebbec5897d95d57d472a56da2ee23e43020efc5835bf12c5775e99dd07adba5569b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
170KB

MD5
e93303affb3692bbecdecdf51638b0b8

SHA1
e6e88d332c2d815b23a5ceba6dd09b390b7d7afa

SHA256
a81efc96e8efd7e56cbf43ecc244b564cb57ab1d99e4e223f1ae5603a0bd7ed9

SHA512
5b3c3d05e9312c1b69e5f6cb52183b070f2f2bb69cef5d981b3d5ddc7dca56f003df775b83ca98688c70a766750c46f6694fe4bc173c18d8b28faaab0813276e

Download Submit
memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3968-1776-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download