75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
Size

143KB
MD5

f18424b131dd684257fe949b80b9505c
SHA1

028f6393e6614c930542b41d6f2c4a2d62a42cb8
SHA256

75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75
SHA512

52d4fc8a54c162504ec37d8485833b39613a06461a78d1bc82d2ae6c36d69bed42feb3f06d9989a9b6ece1ee3a66e30d2c983a2f657685e9033b75bc2364b729
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxMvDnwHKiROw97D8099EoQwctSt4734:fnyiQSoU5hzaVWkQCNBS

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4818) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4900-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x0004000000023078-2.dat	UPX
behavioral2/files/0x0008000000022aad-6.dat	UPX
behavioral2/memory/4900-1782-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0004000000023078-2.dat	upx
behavioral2/files/0x0008000000022aad-6.dat	upx
behavioral2/memory/4900-1782-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome.dll.sig.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ru.pak.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sv.pak.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp	75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe

C:\Users\Admin\AppData\Local\Temp\75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe
"C:\Users\Admin\AppData\Local\Temp\75694e9fe51dcc16a24f106d54c13a8ab49d936e5d294ad18ccc541c470f5e75.exe"
1⤵
- Drops file in Program Files directory
PID:4900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

Filesize
144KB

MD5
b4dad183375b518ccc41667c3ed0ea98

SHA1
373a4219f9faa2097f1b08d972e882c60926c219

SHA256
f6c25b403b4bddbb4fea3eee7e23eef6456ae44f04d9be772ec257950a4a9727

SHA512
ccd0362b8d1ab873a0364f510db456479b991e4927ebe4568f90ddc87d5960cff08b8060e1c608ed31e9cdcec0cd1f108c3a37f51161d6f7eedcc02da176d3a3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
243KB

MD5
4046d66a6340b691d6bc9dd04c3a2985

SHA1
7c4e469e04911c636d915e96bd1938f096aaa24c

SHA256
1ed4c3baee781aa67eb25dd173d4241ad0a81ea55a8f2fd21d2a8a24c4180127

SHA512
9d4d02bcc42ee2e0fe1aa137eaef98a16ad20ca8a8de5e30f1ee0a3ccaed36138df18c1d0f13bd8db8c6d64d65e2c615dc83fd2d39d1e4450d6072708266477e

Download Submit
memory/4900-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4900-1782-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download