f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771

Analysis

max time kernel
150s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
Size

46KB
MD5

92d0e32d552b95cbd01080b1c6f45bfe
SHA1

7ee8ead0528c81cb69356bfa5a43270d57022bf1
SHA256

f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771
SHA512

ffd4fa3bfd19a8d8e97df83e299bf554bcf1b9f0047a4dee855e64dd8de0bcf79371fc37d0a280ad7430bbbb25ca0235c51eb592220cf44341ddd742775d6d00
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJjtf8WUtf8WGoj9COieQJfoj9COieQJ5C+9T3:V7Zf/FAxTWoJJ2WjWpf1fEq6

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4296-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000a000000023400-2.dat	UPX
behavioral2/files/0x0009000000022979-6.dat	UPX
behavioral2/memory/4296-1978-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4296-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a000000023400-2.dat	upx
behavioral2/files/0x0009000000022979-6.dat	upx
behavioral2/memory/4296-1978-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\DismountBackup.tiff.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\v8_context_snapshot.bin.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe

C:\Users\Admin\AppData\Local\Temp\f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe
"C:\Users\Admin\AppData\Local\Temp\f9466e64f9273673cf5da17429eedf9f4b1641c289ce89ac609947d48ab7c771.exe"
1⤵
- Drops file in Program Files directory
PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

Filesize
47KB

MD5
1d5355d7719eca036c34fa148300e0ce

SHA1
a852524443e6943d8c7ca4581a0991e73289bf12

SHA256
34d6c261d68d2365b4d187c86903a7bdd88880e39c506a12b104e0572475c32b

SHA512
2e6feb0352af8773446d7c2b1794a73e634868679951f658252991fafb9d6434635af34578d018f07e19ebefc422c78966c91b9dd7cfc68ef8278c16667a028e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
980c47834eeaf28bdad282f2652e4a49

SHA1
013a52f8c71620ea5620a1a9f5d1673c81d67014

SHA256
34a7701f766cecff5aacae3a013416aad8995cffc0df6485dac2fa7e62733f67

SHA512
d6832548116f3603671f61da6f954c2834bface99c9f249fe219137349091fe67c5d7d442ae1cc25f2e61ab0f86f7772cef45e76512907af6b8134e2766dbc36

Download Submit
memory/4296-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4296-1978-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download