Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 23:42
Behavioral task
behavioral1
Sample
79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe
Resource
win10v2004-20240508-en
General
-
Target
79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe
-
Size
86KB
-
MD5
693d8dc506a7b5d14826d607d4483113
-
SHA1
2496c57982c1892ea55b265f8b10ac4bfcb59fb6
-
SHA256
79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad
-
SHA512
9b0ee265aa88eee56b8fd3eeeac405127def4f9d1873140c47c4bf4b8529f21770af029471546f2b1b7ec71de9928b2ed5e42c3810543e5ca9f5f038113fd4ba
-
SSDEEP
1536:a7ZyqaFAlsr1++PJHJXFAIuZAIuXsJtLJtZ:enaym3AIuZAIuXq
Malware Config
Signatures
-
Renames multiple (5194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/2280-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/files/0x0008000000022f51-2.dat UPX behavioral2/files/0x0009000000022979-6.dat UPX behavioral2/memory/2280-1896-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
resource yara_rule behavioral2/memory/2280-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0008000000022f51-2.dat upx behavioral2/files/0x0009000000022979-6.dat upx behavioral2/memory/2280-1896-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp 79fc6ace5668a85e02e0e569411730054d312595cb2417e659d5073dfcde20ad.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD56dd2f41ef8f50153613383080c6d96ce
SHA156ef645fbced8f474550e71b36655fcdc6221240
SHA2569bcd4025a0293ca4d94e7c13a173c3c0efc28caf4291558adbb9a8258731494a
SHA512b5c895aa7063108d4d1e6a9394d507f6ebc662287a8a1c3caf442490da77785ab673ae7a28cc474b6917bbc56c9b595f1948cf1563539382a0974feaec860504
-
Filesize
185KB
MD5faf959053b447bb643241edf7e3668e2
SHA10641e3a842127907f64abc9bbc4a2e4eb1962955
SHA2562879d0f21356ac3fd73fc540ffe3bd3f0b629c0b35cb19418d81f3fe3115a753
SHA51299c119ede67530f501579633005aef1b8328476818fda617de768aee38637267fbcf4cacb5b1fe839e2c0bac403f9925022f61c1a556453efdcb91f6a5ad8ef4