1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
Size

127KB
MD5

109c3904878e8f94bb4545d781ed5100
SHA1

9e3e4fdac1f1eb5b55198499f75538fd5b8a67cd
SHA256

1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103
SHA512

53bf67d5994dc1b051bfeaa7c1a6b1f2f636beeed6a909223e715d2a52a88e7f7d124f0b755e8f56ce8373f51835bae67ceb9e6e889225b4bd9ae824548d2061
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUsxe+eX7n97nPll7n97n0G6GuDRLp:fnyiQSohsUsxe+erZLZ0G6GE

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4851) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234e9-2.dat	upx
behavioral2/files/0x0008000000022a75-6.dat	upx
behavioral2/memory/4456-1786-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ca.pak.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe

C:\Users\Admin\AppData\Local\Temp\1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe
"C:\Users\Admin\AppData\Local\Temp\1066c946febc3da5232eb1f953ad4d13427dc7ca18386e18b64b553068b9b103.exe"
1⤵
- Drops file in Program Files directory
PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\desktop.ini.tmp

Filesize
127KB

MD5
227480c329c54cd39eb8c558f343a0bd

SHA1
2943f6d1d14c6ecfb14a69bddf19ede789922918

SHA256
7297d26bb8114acf975d247b78c274a6fca7191e95ab953149971314233407a0

SHA512
d80192ce453bb1f662aed60079011056e76a1b408e0b3a38ee94b1ec3cd350deff3ac7896a923271563d376006b0d77a7d4125340a28f21cc80b9fc96ee85c63

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
226KB

MD5
db9902563c5972f9d43a26ccace9ecaf

SHA1
9f7499d3f0cea0c75ee4e9e1b600bd602b8331dd

SHA256
b66136c1ecfcf98191c27241d821a74638d41dc2cc94a3d9f5e66f6eec3a9555

SHA512
e4de52a552d5ed8c62bc0af8ea037e19044aa2e5701d2c517fea47505b17b0a89c879f0f0fd439c0065e96e76c80f6c5aa9569879f76285d0c964f7059603d82

Download Submit
memory/4456-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-1786-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads