608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
Size

66KB
MD5

cec14728484a44f946f56a5d3986863d
SHA1

9282b74991d58bf34c0a80a275b41735085280ac
SHA256

608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5
SHA512

2bbffef5848b3b307e0e132d24674af5362f88f772fa69e28abefc957b51dc48de92994ece95ed4edbbfea601e9bae81ef1e3287d26ae4c77cd29d47cce6be5f
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwABT37CPKKdJJxdPO9Ot6K/K2/R:V7Zf/FAxTWoJJ0TW7JJQOEK/Ka

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x00070000000232a4-2.dat	UPX
behavioral2/files/0x0008000000022996-6.dat	UPX
behavioral2/memory/5036-1588-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00070000000232a4-2.dat	upx
behavioral2/files/0x0008000000022996-6.dat	upx
behavioral2/memory/5036-1588-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bg.pak.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe

C:\Users\Admin\AppData\Local\Temp\608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe
"C:\Users\Admin\AppData\Local\Temp\608829dce933fbb775d60a92a5762f645ebbc253099e641c534c18230b137ad5.exe"
1⤵
- Drops file in Program Files directory
PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

Filesize
66KB

MD5
87c857a880c948fb5930e70cec4eb5ee

SHA1
49f693d598db899aef159b7afae3661808358304

SHA256
8c902f20e9cbeb953285bc82d3cb17fa859679c04c899dbe5f3e942276513a41

SHA512
dad56a3ccbc225dbcdd41e4f39083ecf1f4d09dd83c7d5ebaef2f5695cac8364f19c132428d41ef4df79f56c5aad575b62fd1d82a71d5e72cf3d816d5313c7cc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
626a6ad30c48fcda911eb8cb15a27838

SHA1
81719c4ec3e7ab07203182586bc4bcba3ed84511

SHA256
c5a76fd9f4ea6e4627101c16b032dbeee97d4791a543392ba541985da41af0cb

SHA512
de7b65896cd6d57e670232774c48b7c3ca688d6a7362accbe8982d0ea3ab4f747a6a390578eb988d7857631c2261b17f9483a0c8f9000cbc6d644c9fc1b4c2e0

Download Submit
memory/5036-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5036-1588-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download