6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
Size

82KB
MD5

a64640028f2f93f486120ca4d21dedae
SHA1

af1c741e1b41771ee0b358cf9f8f66b90fe4a1e0
SHA256

6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6
SHA512

ef802bd320dfb8d294f3a134e86ed78a299afe4a9b560c002fc44f382bde5f5b3d36675c73d9607b7ceb65b447d0607de3195b545c4c72242f181207760e8cc3
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8Q8/8sYcgYcj:fnyiQSoskz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/872-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x0005000000022975-2.dat	UPX
behavioral2/files/0x00060000000168ae-6.dat	UPX
behavioral2/memory/872-1896-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/872-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0005000000022975-2.dat	upx
behavioral2/files/0x00060000000168ae-6.dat	upx
behavioral2/memory/872-1896-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msspell7.dll.tmp	6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe

C:\Users\Admin\AppData\Local\Temp\6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe
"C:\Users\Admin\AppData\Local\Temp\6326a700f3bd449fefc1691ee4b9f64d870f352ae5f299d63df0d21b10c790f6.exe"
1⤵
- Drops file in Program Files directory
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4336,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8
1⤵
PID:984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
82KB

MD5
93aded9b2b1d87f186585a42777ad4f6

SHA1
1cf492e60039422510fec18c8b54c04188d53296

SHA256
a76ad671073ea61efcafef538a29f5cdf60c087c711482daceb259f0442e8d93

SHA512
5cb3da722d70d074f51e8e8df87a85e334a26b0e7e78e4c4edfc013e001c869681a26de2a2054b46f3bd523b6198f4e59ad8a6234053f5bdd99e4fc6e392a1d8

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
195KB

MD5
cb90e938a0ec8c05e698f544cc063417

SHA1
011f6e769ba8eb33d9a6fed96924a90f776e749f

SHA256
0ddc583f61b9cfcbb1a8db98e433ac08acc2e9bc6c2713688f69ad033aa5761f

SHA512
952470c2a22e8041a8de11210ddb03a51ad5074c54e7d2609cc7a2ce007b2c0bac24ac4af634cf3f1cab7f8639f183ba2a7eac891a8c81ceb12d9d7a737c114c

Download Submit
memory/872-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/872-1896-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download