d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 05:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
Size

149KB
MD5

705e8a77eec84c4894cb843b16f0c88d
SHA1

fb35476dca009ac333bb9ec80550981e189a1beb
SHA256

d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042
SHA512

25b4d0466987d175c3c314739c20ea8d083f1a005f448b7fb63521e7b14a7015835b47052a4e12428a05ed38be3c5ce3676c4301efa8e7e86e250d10e2bf19ab
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8WSjaYavUgJt8ynjorj9SvzpNzCbq9ab:enaypQSoNPvUgHz7zi

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4767) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3808-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00070000000232a3-2.dat	upx
behavioral2/files/0x000400000002297e-6.dat	upx
behavioral2/memory/3808-1728-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11@2x-lic.gif.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\th.pak.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe

C:\Users\Admin\AppData\Local\Temp\d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe
"C:\Users\Admin\AppData\Local\Temp\d4ea0bc1ed5ff8876fe20f4860239b87e378def0d271521e125b181cc3b93042.exe"
1⤵
- Drops file in Program Files directory
PID:3808

Network

DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini.tmp

Filesize
150KB

MD5
31340aeebddeaf6ab8488b5b7390f119

SHA1
610b92de54c6771b45ae537855b4629eb2c43c5e

SHA256
b118791eb83518cfe2a2762f5a9f35d876c810bf2bc718408f56d6ca7e3098c3

SHA512
9dd10305cb840caee114e1ef3446494a95801ec0f9c1de6ef170e1c2dabe5c07158928e339ac77e50b60427427d64b37254cd360e159a06770db4cdaf7b228a3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
248KB

MD5
95155f98571cd7d89d152c2b503b27e5

SHA1
597ee563c1a17665a73d5af3f88098be1fd16d1f

SHA256
1c864eae773dddcd8399d6a4f3334ce0efafe4fdaf5fd50deed3fe72881f656a

SHA512
5e1beee2ced4e1cd34048b07ffd09dbbb8edee9db30f6f3b74c10d5680b6fdf821377b2463377d530af6ef934ca5646aa8d65c199bd975750f644d5e43c75469

Download Submit
memory/3808-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3808-1728-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.