a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
Size

69KB
MD5

e9103528fa45838f90973c40dc9ab739
SHA1

9a31fc28ddf3acb98d35e3e03ef4963faf931d4c
SHA256

a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69
SHA512

6bf32ef0ed6f7f732d7232fc241ff10c0ac0668bb293624746fcb108417decfbba5aeb66de8e3c2c8debbc461532e3b422f4d0cf25b479794d38ff54d478c4f8
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8NCuXYRYc:fnyiQSoDuXuf

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5109) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000900000002356e-2.dat	UPX
behavioral2/files/0x0008000000022aad-6.dat	UPX
behavioral2/memory/3012-1840-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002356e-2.dat	upx
behavioral2/files/0x0008000000022aad-6.dat	upx
behavioral2/memory/3012-1840-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nl.pak.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ja.pak.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe

C:\Users\Admin\AppData\Local\Temp\a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe
"C:\Users\Admin\AppData\Local\Temp\a9f8c16797903e84eb9ba42300ea2b8a305530aaeb96acd3c7091a4829521c69.exe"
1⤵
- Drops file in Program Files directory
PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

Filesize
70KB

MD5
bd16917b1f36789b92b338feb0cbf710

SHA1
617b25a33792d4d5e2bd30682ce171d1e6b9f4fd

SHA256
bc0b01e33eb28a776820494790e8a05a11596a051e4c03df3b29abf5be7bf833

SHA512
a9f17d0863f9785440e735381afa0e9f5135f61cba45b7d93610cacf3cf1a965374c3bdcc427aeaa3e733082c3fcbd11ccfd7c8d5e028241282247b63bad5dda

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
f097815c8db7e31b25f3945b4743d2af

SHA1
c7e4e8a2461cf5ed24c3fd9e19f296b2f8918a30

SHA256
acc92df51014399c89e751cf426f4988c35c0af79b4ace0351c1074c25880bde

SHA512
efcd2136e08dcc1ef5e60f7b43aae8dc63e6a274f8d3b135802520471284590a55c248a06d60962e39b9284e329e7c604318730cd907f58a960afae9fdf9cf39

Download Submit
memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3012-1840-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download