23f113b56c410d272d4c5f00eaf819356db3b17b106f0fb95ca4a54d69318700

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e2478e0131bcf5659f8b35bfce8f8d0N.exe
Size

58KB
MD5

2e2478e0131bcf5659f8b35bfce8f8d0
SHA1

9a179a770dce30c515b3a8b84cd8606aaa2624d3
SHA256

23f113b56c410d272d4c5f00eaf819356db3b17b106f0fb95ca4a54d69318700
SHA512

4444e66d66405c4098675dd5ba93a482542cf4e47229d00c08699ba3ac46c5d99cc252f0cbc1dc7fa76a2c8feedef85c43b1276882f0ccb177e5d236ac6c8942
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzr:CTWn1++PJHJXA/OsIZfzc3/Q8zxSLm

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3724-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000600000002324e-2.dat	upx
behavioral2/files/0x000400000002292e-6.dat	upx
behavioral2/memory/3724-1118-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sl.pak.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	2e2478e0131bcf5659f8b35bfce8f8d0N.exe

C:\Users\Admin\AppData\Local\Temp\2e2478e0131bcf5659f8b35bfce8f8d0N.exe
"C:\Users\Admin\AppData\Local\Temp\2e2478e0131bcf5659f8b35bfce8f8d0N.exe"
1⤵
- Drops file in Program Files directory
PID:3724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini.tmp

Filesize
58KB

MD5
f50ba6cd79332a5d66ba7710c1555d91

SHA1
4ec9fe424cf01f04fa0b696eb3464fbac046397a

SHA256
1f2d476b137c0f65b0442165f56bdcbaa82915a4f8d706d5157fca6a073cadd7

SHA512
6c7bf3f23b9ce55a82ac29173b05d333c47c3826f9e31bf1f663aa25538be3f4ea3fb58be4dc8b5b778d58c76984d420ceaaee49c29ce7431ae016a6162581aa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
157KB

MD5
7103e513652e94976f239182d062c115

SHA1
06f891129827e9baaa1d2fc1eacd429d59626670

SHA256
1a10c28aadfa25d6447a9911fe5d4cd50cf4aa8880503a33dd30f1a903bcc602

SHA512
08cc41e9072c43c96dd711a5e14ed29bf982aea3d9fe811f3a84af2eccb74709ed00509498a95d848376967bca3dc5b5a0997bfca5ed943dfc8aa2d4481e7202

Download Submit
memory/3724-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3724-1118-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads