79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 23:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
Size

1.4MB
MD5

4dd7ae5435d11270483ae17414f51789
SHA1

94bb6ac20dfc9a5d3825f208beba137a7efc9df3
SHA256

79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a
SHA512

27dc7418f27e235fc01484ab0ce1c6fe65a5a119aef83fdd39a99ebe9fc1c53f704e3e54cfaa0ba8cc21d0f5cb186c02b99399f8b7cda5d45e6565a14b9d25be
SSDEEP

12288:IAIuZAIuOVdo4Mxdz68XUdWnGsTefBAZUNHPK5ywHeG5QuKfeoy7UNCfwnmocDQ7:NVdo4Mxdz68k3IESsKDQbhEEoQv

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1825) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4824-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x00090000000235b7-2.dat	UPX
behavioral2/files/0x00060000000168ae-6.dat	UPX
behavioral2/memory/4824-712-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000235b7-2.dat	upx
behavioral2/files/0x00060000000168ae-6.dat	upx
behavioral2/memory/4824-712-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\lt.pak.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fr.pak.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_100_percent.pak.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe

C:\Users\Admin\AppData\Local\Temp\79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe
"C:\Users\Admin\AppData\Local\Temp\79b297076e1f21dfcc15b0d920ece14923dc352fdaab5694e55c7754d5613d5a.exe"
1⤵
- Drops file in Program Files directory
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
1.4MB

MD5
8cb03c74f3e91e3ab54a2c4353373599

SHA1
6aef66ba138dcf656e424a3637f9a738de111ac6

SHA256
a7e6f5d1dbeeea267125501d0aad1959ea7852f630cdd620d48e04b9b5c42dad

SHA512
cbcb7ff8b44ca9a22894c8168c118a4e64077eabb70dbe6b0ba89359d4a2393c49cc0e3f3a429fa866549a62376ea94735f4cd827c84db68725d8a75d971a209

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
1.5MB

MD5
a55619aae43f838c6dfd7f9122a4d05c

SHA1
49c0b64ba62862b7ed4c50558fde84db2e7aa53d

SHA256
fe91b62e0cb8250552d1b9d028a7aefb73ab32a63d0727433b36eae36b72a26e

SHA512
747df9ecb671d1e0e37ae98a794134677035e8fd76909ae48dffcaf443f1fef263fa446c1945c40c3f0de989c1e95b67d077c000f21ba012879b548b2c14c99e

Download Submit
memory/4824-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4824-712-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download