899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c

Resubmissions

05/07/2024, 22:36

240705-2jc63szgkb 9

30/06/2024, 23:59

240630-31zxvashpn 9

30/06/2024, 23:55

240630-3ym59sshjn 10

Analysis

max time kernel
1472s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
Size

90KB
MD5

6222154957fbf89f273719c001f82a6c
SHA1

14a13a772f654c8d46de97e56db3e75ffaeb86fd
SHA256

899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c
SHA512

6bf4e345f1ac322a7fab6beca852765ac369b7bffd6007b272aa5458f4c354804f891a4aa5d22c4fef60dbb5e0e5eb37645bfe98413f4de91b8e925294d13af0
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8VCnXxX81jmQJHdJHr0GUykUyN:enaypQSoPXxXTke

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (9880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/112-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000900000002324b-2.dat	upx
behavioral1/files/0x000400000001d8b2-6.dat	upx
behavioral1/memory/112-308-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationFramework.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-16.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\20.rsrc.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUIStyles.xaml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\af.pak.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-unplated.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-24.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-125.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\msasxpress.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_white.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\msvcp110.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-125.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-125.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Design.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\154.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\EmailAction-AdaptiveCard.json.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircleHover.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-200.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-100.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\az.pak.DATA.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_sr-Cyrl-RS.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationProvider.resources.dll.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-100.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png.tmp	899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe

C:\Users\Admin\AppData\Local\Temp\899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe
"C:\Users\Admin\AppData\Local\Temp\899f9eb14b629b413d8fa84dcc1653fa2477e8fa4e4f119cd02dab78f9e7a10c.exe"
1⤵
- Drops file in Program Files directory
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3184 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

Filesize
90KB

MD5
411139f9bcbb5b457af2e75d0c61e95e

SHA1
77cfbc628555ea8b1d03d0d21a5c3667ef36ba3a

SHA256
36b5694a874854f829df36d7dc583ce84473af718fe4801d9eb8aa06740f769a

SHA512
38c0df3b87d69f883e3ab9c86e8e44a90d49b38196f2fcf271fbef752f79481abac3776e4b75a4557dd3de812493e6fb20037c66db0381a3e378e8acfc0e7574

Download Submit
C:\libsmartscreen.dll.tmp

Filesize
90KB

MD5
038ff3c3ed82a31ccf91fc23c7f3684a

SHA1
b25758cc28de1e72ffd9c3bc1134df01928d2f38

SHA256
fcfdf2c9d0f4aa0c4b2c4351960118e768a2fc949c171d14027bb363582adfc5

SHA512
6929050ce093de6eb7d23994efe1b1569174a14b1a1aba62b7050d350cd469d0a4b40e8289f9f5fa1424da8d8665abe6161a255beee14b2a3cfaa85486358296

Download Submit
memory/112-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/112-308-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download