19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
Size

51KB
MD5

4c7fa30f96af5161686b8065d7dc8028
SHA1

b821118e3c106aef2d48d0044d1dcc491ada8475
SHA256

19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf
SHA512

e57c9a6d484cdd1fc159bf585d50939a0d70e3994ea4a2c6a6acd2ef1965a24a900fac5162cf091fe6c5b33bc2d7b016124aa1c5c6cf7f8391af6fe088765e64
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzS:CTWn1++PJHJXA/OsIZfzc3/Q8zxUkI

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000500000002326f-2.dat	UPX
behavioral2/files/0x001d00000002292b-6.dat	UPX
behavioral2/memory/1436-1216-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000500000002326f-2.dat	upx
behavioral2/files/0x001d00000002292b-6.dat	upx
behavioral2/memory/1436-1216-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\libGLESv2.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\tr.pak.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe

C:\Users\Admin\AppData\Local\Temp\19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe
"C:\Users\Admin\AppData\Local\Temp\19d872cafec60d3c3cf512b6879dd4c351d06a4c04b7f535c31ad911fceb0faf.exe"
1⤵
- Drops file in Program Files directory
PID:1436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp

Filesize
51KB

MD5
24098123e188b0a5fe3eb4bf0e01d37b

SHA1
bfd350cde578b0c6201b670c2a318e11a660d0d7

SHA256
3b550208f2d5e4e6838af3cf65785286c7ea0d6c790e952a2b643a368aa4e379

SHA512
688f7cf6456919e011e12c9007a87d34f17ee77472604c1299074455fc0565be83b4c7fd27e55c2505f534e2703cf18624174522322bf130cdea7da791b64869

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
638f5058dedd124292f93fec8b3c3209

SHA1
0c804f21643d0565b5d297ee26e3b6b9e4ddb5dc

SHA256
df043559b768bb5cc51b5f93dbd7b4aefcd9548b9c79220acf41a182d86bca9e

SHA512
6d1b6a2d2341581803a6218e6484f97b4e9ab5d880b7939225d61aa900b7f5139bf3b0555c77aa799fe2ab2c36aafed7013247ca3efbbd5003d79a0a91d28654

Download Submit
memory/1436-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1436-1216-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download