67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
Size

138KB
MD5

5ec2ca34485f0ee837c82fd0b17226b1
SHA1

022beb9d53f784b3f38cc72df9ef0ef5f929c9e3
SHA256

67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4
SHA512

3ae1b4a3cc1f42c255b664d39c953c40ccf04b20c9f48046540ee7ca8b5d8715c4c928d1e9581480b35bea968dde66a23b07b71125e2a40643bfabbb9639fd13
SSDEEP

1536:V7Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSC1:fnymCAIuZAIuYSMjoqtMHfhflixi8

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000d00000002337f-2.dat	UPX
behavioral2/files/0x0009000000022975-6.dat	UPX
behavioral2/memory/2360-1824-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000d00000002337f-2.dat	upx
behavioral2/files/0x0009000000022975-6.dat	upx
behavioral2/memory/2360-1824-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\Logo.png.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\id.pak.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe

C:\Users\Admin\AppData\Local\Temp\67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe
"C:\Users\Admin\AppData\Local\Temp\67ab2d61dcf5e7de7ea098fb4a9e17e82cadff490e8c61bc7450162ca29eb4a4.exe"
1⤵
- Drops file in Program Files directory
PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp

Filesize
139KB

MD5
a406edf72c97e3e883f9f62e9e2bec9b

SHA1
bf3e06bd39663059f7271e8f25d27f5c29a80597

SHA256
25d820e1ef72cad935b646c1d2d4ded29a5bf367c9dcbd3961046fe8d814b837

SHA512
3c61aabc1468bba8cde88eb9021091666969b350133cc62554f5ce1c6474aeabb23360b48d73a764a44d37853cb3f9d4086366e016a4f635d58e1dbda83bc5e9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
237KB

MD5
776c8a5e5bc6207e1ed89bd91b7e0195

SHA1
33d0b60205c4b701c001308cc447ffbb4520b869

SHA256
183f370b5c9a7eb15412d7fbe5dfbc2b094dd78a1d5c25618df472614a3e0304

SHA512
4c51cb208bbf8b7b6825ed4c6cd920de884b3c342ae7cb8d57b4bb0fbf1eca5abdcb85c137447cb86fffe50e86e87e03a4cd323e5aa314466d9bfbcc20a675c4

Download Submit
memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2360-1824-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download