36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
Size

21KB
MD5

fa4af53ef11197dd84f7ad3356126cf6
SHA1

dbc9b67ebf18dec19e7f7d7013c4bd99c20ae3e8
SHA256

36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0
SHA512

550aa426e6f3efd6459dae4999f4fc379c615c284043fcdca9b51de7c123677313e23c8a3821b437b5e6d1e50bac506d50e709e92c38052b8f8e4d5f22a102b0
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUEnr8BpUjcVer8BpUjcVSoZnOriJfoZnOriJ9:kBT37CPKKdJJTU3UQreUYEreUYYoZnOD

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/556-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002347a-2.dat	upx
behavioral2/files/0x0014000000022932-6.dat	upx
behavioral2/memory/556-1118-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sk.pak.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe

C:\Users\Admin\AppData\Local\Temp\36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe
"C:\Users\Admin\AppData\Local\Temp\36cdf08677441e55454183e46009f8454cde5544c27102aa51e9ebcef929d7e0.exe"
1⤵
- Drops file in Program Files directory
PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
21KB

MD5
8380f27a7cf44bafa10ce4d923fa8828

SHA1
682fb902c13094eb6854c76720c4490af1e94ab1

SHA256
cdf2196e5cf566939252cfae1645de47da61beaa944b580d3ccaec5c238d6f6a

SHA512
27bcf3380037873745655ecea219324783db6051d4ed54db622c0e7896a4656601d4244abd00e9c2c322a737737eb680dfc1e105063a75f4bc2f2d1eb5b5ba0d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
120KB

MD5
470851998185907174429061ef58b177

SHA1
6bcdf3b74882c56deea360e33cdb62fbff388925

SHA256
aec1e748965b14a3f816e1ebb06b5762c290f76464f7bccf95c50a7764f017b9

SHA512
edc9a61eac5a615b4ecd5a5c957e6895a4d7fffe6040965dc5aeca7aca2d01030fb026a414269616e3f61a3d75cc74527bf42b2f36294f66bef8fd981ceb0787

Download Submit
memory/556-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/556-1118-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads