92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
Size

249KB
MD5

fc387aedb639f8435ab9f72b2f410690
SHA1

8f081c511e4dc555e50611267d1ebbf225209294
SHA256

92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d
SHA512

8380d36fe6f60309a757ee96ec1ea222d9140512fb02f87e7548860c1a9de9fec60681f668f01693f2048d0d0853be8286aadf2b92e39f2ac677dd1cf5604782
SSDEEP

6144:KmCAIuZAIuDMVtM/sgBfAIuZAIuDMVtM/sg3:IAIuZAIuOBg5AIuZAIuOBg3

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1984-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000b000000023414-2.dat	UPX
behavioral2/files/0x000800000002296e-6.dat	UPX
behavioral2/memory/1984-1428-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1984-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b000000023414-2.dat	upx
behavioral2/files/0x000800000002296e-6.dat	upx
behavioral2/memory/1984-1428-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\el.pak.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe

C:\Users\Admin\AppData\Local\Temp\92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe
"C:\Users\Admin\AppData\Local\Temp\92657494f6dd3449e04903a97c0ff46cbfadcffee626f24fb858111a347c642d.exe"
1⤵
- Drops file in Program Files directory
PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp

Filesize
249KB

MD5
f89700f5f0068003e9c399e854b099c1

SHA1
0278ca5151b5f783b6c6eec49ff81de4b5e9c8fa

SHA256
8b2c648624ff467d072d4e91adcfece3df6c8000b4d0ba7c7a394fbb70a0b227

SHA512
33747a248d8c2ca7168579fc2daea6e9e1232836a92e3d87391e8fe3ca3e61f76bf66857308f297af24037934aca55d5252572cd54c52a27ed8b11838b091ffa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
348KB

MD5
799c0a7fdd97ef1add46c7962b5c2eb7

SHA1
5f5e6f31258113b184d3e061e8f450bfbf03143f

SHA256
ed8287a15f0e80bbdf729417159062c8f2181bcacf7e23d230e0a1996c985956

SHA512
f7761ad553ea638e7d243b356cd7b50f4f4252d9a539572de11d4fdac19e529477c1ba6bc3b909f64a152b029f5cbe22de56b52217711a5a64172a5c42c2b814

Download Submit
memory/1984-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1984-1428-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download