263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
Size

64KB
MD5

363e21ee1ee66b3b29a837150f6f8651
SHA1

234e3169ecdb77921d912ae177619d9d48e49a1f
SHA256

263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272
SHA512

2474a92bdca4a4dcb226c4ee549a2a4e177d1ccd776c4100bb77116d93ed35e9594bac66f7f97f71d249438e480581cb5965df66a31d34e2e32c50068aeac1e3
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8asUsxe+eX7n97ns1o8k1o8U:KQSohsUsxe+erZs1o8k1o8U

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5111) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x000900000002356e-2.dat	UPX
behavioral2/files/0x0008000000022aad-6.dat	UPX
behavioral2/memory/4500-1078-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002356e-2.dat	upx
behavioral2/files/0x0008000000022aad-6.dat	upx
behavioral2/memory/4500-1078-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre8\lib\deployment.config.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es-419.pak.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe

C:\Users\Admin\AppData\Local\Temp\263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe
"C:\Users\Admin\AppData\Local\Temp\263c13e33c59ad45a1e64f1f13877c7b5f8d6a2168b9abf116dfe2eada6d5272.exe"
1⤵
- Drops file in Program Files directory
PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

Filesize
64KB

MD5
bf5c25d408c5fc2b3db745e7ac7fe709

SHA1
6553dc6c12f9ad5a580b82d51512082f6d1aee74

SHA256
85bd2fabdac323826057c67a0639b893c37c1e4fd1bb397ad441b8759fd9e9f6

SHA512
53c4e565f3b5dd5b1a6c82226c7d97cbbfe442bfe517d70d0cac95bc351ad600cda31ff1c156fc9721483502f649651c81042a77a1f5f744b5d73ab2f14799c1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
163KB

MD5
4d4a3c2b6421c7abcaeda1c08e03b712

SHA1
be23f56bf6cd8ca790c383fbba6e91e37cde0c9d

SHA256
16bddc6780c0b63fe04790c94c3ca2b801af89ec692941baf3177306eec8ed8a

SHA512
320144547906519634f67fc800a5b3f326a0df69b9562a4b35ab5a8fb47b79ff13971af861e057f21fbc241dbba7a21b7ce100d2f2f2ca95a8f21efa909c1576

Download Submit
memory/4500-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4500-1078-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download