27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
Size

45KB
MD5

6a604ff7ee9171b7b3faf54c45bf84c0
SHA1

18b9f2656fb3817d7a569b362ee0714571d393f7
SHA256

27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4
SHA512

0c67507c25b95fb22a0cd0582259fbd8a1776137b23c114dfb0a9e17c9640460f2d589b95fb9026b68598f38373cb57828a6fe1f63be9536b042eec9d7e53cf5
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFIo:CTWn1++PJHJXA/OsIZfzc3/Q8IZm

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4620-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000300000001e64a-2.dat	upx
behavioral2/files/0x0014000000022946-6.dat	upx
behavioral2/memory/4620-958-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\es-419.pak.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe

C:\Users\Admin\AppData\Local\Temp\27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe
"C:\Users\Admin\AppData\Local\Temp\27f40b3ffd35b6bea98061295a7bf620386453fdacc3245ee08efbffab65c8f4.exe"
1⤵
- Drops file in Program Files directory
PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini.tmp

Filesize
45KB

MD5
815e72e2bf74876314290b31102fe89a

SHA1
dfa0917acd5dca0ded3a39fc974b444b55ce389e

SHA256
3a12863e82bf7b037a98d3f74377739da4893f46385941c7ea02994469a15f48

SHA512
853b8bb3dce64c8a6b0c26c7421a954ad40aaaab30a48334a30e4cfe11267b1909814c721c39bcc4beb58ce43ce6c1987eb9a0645c57bce9d1ae4258870bca48

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
b8b8b3d6cef40d6f400384e41a1af68d

SHA1
baf99ed39496c7ff918aa41a826c7f9a24b908ac

SHA256
dbe68ccd4cd34ff97c08b8f72887e405badc24deb2c944a7bc0a93d414da075e

SHA512
54cbbc3e745a967597f24d85e4631a56060dc71d4ac011121af7ef6e847d9d74d8fab7cd850d97457a65bc0d0e0a770824333fd0b0cf60777acac0fe521bdc7a

Download Submit
memory/4620-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4620-958-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads