30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
Size

92KB
MD5

0957c2a81aeda2af436ef6d4281bd11d
SHA1

0d8c9b45aeba6a3dc422cd15d225b1ed6c8399b0
SHA256

30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8
SHA512

444912811ff16a06e067f1b8a2cd59ac0ab2d3402fa186bd0eb20fad6146fcb234a1d757e71325950842bc3471c0fc57e88f875ddf0a37644181cf512aade3c8
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUsJOVYd7n97n4:fnyiQSohsUsKY5Z4

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1468-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023419-2.dat	upx
behavioral2/files/0x0008000000022996-6.dat	upx
behavioral2/memory/1468-1882-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogo.png.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe

C:\Users\Admin\AppData\Local\Temp\30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe
"C:\Users\Admin\AppData\Local\Temp\30b46ea382ea75a92651096439ecf1672d0bfd38476f41821a410188e0dbdba8.exe"
1⤵
- Drops file in Program Files directory
PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

Filesize
92KB

MD5
8a1b3b3e6eb7550d89d42bc623efc4e0

SHA1
33d2c6bccd3b67503f60c14ef421289e8a0a6177

SHA256
98dc25e47e2a0a5648b42187c6f5658c4fda94ad430c001a036266f5e22b9619

SHA512
3ebdb1d65499383db6b20dd9145f032dc0c615013a2d7b6feffec74d4f134550453317e17a9962805a0dc1381e74fe25dce5ce630755aab3f7be00ece8896847

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
6918317d75f8f9078aa5f7eed58f7c92

SHA1
965cfb7c0acd782007383e07c86c3ee6124fe707

SHA256
4dc19271ff554bb1a0d3772962910a4bab0d34580fec3eb73d6c6d0ddc96c4fb

SHA512
9f5f8228afc0fdf55b5c2e1a0518bb41a7575fe4521c894065db23e02fdd599522d02c524c69b31f35394739db3e2ef5100d3b21650bc02643c491e298c7beba

Download Submit
memory/1468-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1468-1882-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads