6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 23:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
Size

56KB
MD5

1f2dfaa49516b928becfb0f2a489bb92
SHA1

6c73ac67dd106bc476ba321263ab50388333e28b
SHA256

6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105
SHA512

0ebeb38a41c0917944fdfd9436d8061585a0f9004f10866539dd8f17f126398cf70cebcb33124e14b2430160fdb579acb12cd68b3dee59abb11a8a75a2116d2f
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzB:CTWn1++PJHJXA/OsIZfzc3/Q8zxSLs

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4841) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2892-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000600000002324e-2.dat	upx
behavioral2/files/0x000400000002292e-6.dat	upx
behavioral2/memory/2892-1072-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\external_extensions.json.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\DenyImport.ogg.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe

C:\Users\Admin\AppData\Local\Temp\6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe
"C:\Users\Admin\AppData\Local\Temp\6cd649bee2724b85532ba0dd9a1783ed602693f161c820ee2582820b7bb6d105.exe"
1⤵
- Drops file in Program Files directory
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini.tmp

Filesize
56KB

MD5
94a4edf52163192832940dfd4430e895

SHA1
5f8e773e9900b28e3e34c529ce741492235436df

SHA256
eb1333cee14c7d791473aa3ecb15fae5b7d21fc0e352b5c1beabdd836dc1f192

SHA512
029a82349579d2ec7d215ba912fef1765c3ebae748a8f373e96e6147f4f3a35ba829dd834ecba544186e067d2275c6847a91499fe74c9f65e23d5f5cfe996ce5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
73fc4448f2c4af977feec651293dbdeb

SHA1
2a0f34c16bfe7b15d4f8bbe3e9bf18c633f39cbd

SHA256
cf8d748420c40b763e9ff4b5d6603ba01295875c95ed64102e949c9fb4578cf4

SHA512
0442c9de2a6b3a47d6d6e9d166f4eb2b5a21afbf3a375b9e54d47027dee260a5da8de58c0d799839d5d13f2772a9e25665e65f30a0b9f913c41035839d1a2669

Download Submit
memory/2892-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2892-1072-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads