263c25017442f65169d3afe9a0b3dfd492d1a42ce4e223caacb1176ee5cb2bff

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

659a0cb06caf03bf06d405aeddb92980N.exe
Size

46KB
MD5

659a0cb06caf03bf06d405aeddb92980
SHA1

e948ee1f1a7c3081aebd329e189160ab11e35327
SHA256

263c25017442f65169d3afe9a0b3dfd492d1a42ce4e223caacb1176ee5cb2bff
SHA512

4593ffaa696c5fa4d209963caacf7c8886be8716b8cc8b9008e88e9ec787b3b888d29b73b7e8cf671bac568f87dcf883f8e331f3bfe2702038f5b0bb85caa403
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzW:CTWn1++PJHJXA/OsIZfzc3/Q8zxk

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1888-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023469-2.dat	upx
behavioral2/files/0x0014000000022932-6.dat	upx
behavioral2/memory/1888-1214-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	659a0cb06caf03bf06d405aeddb92980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	659a0cb06caf03bf06d405aeddb92980N.exe

C:\Users\Admin\AppData\Local\Temp\659a0cb06caf03bf06d405aeddb92980N.exe
"C:\Users\Admin\AppData\Local\Temp\659a0cb06caf03bf06d405aeddb92980N.exe"
1⤵
- Drops file in Program Files directory
PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
46KB

MD5
d5262d4584c021f87d5d65682c58e4d9

SHA1
d9b855966dce0718e4997f761d11d22dd081e881

SHA256
29000b4845ad239fe052781eebd7c27430f353491e1f701fe7d79dd5b8dbf70e

SHA512
3488ae254112c39c44975af475eff4a089d4fcbb29610d35a3469ec7c30d914242903cafe82726e288070a8b42e33426b4cb1a5d453114ce3c6013c52d6e5db8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
c5a5f87109c82a623d663ade01b1936d

SHA1
87fa8d4bea148e24ae51bf609de83d631aae3e89

SHA256
fe53944cca6a497a29214ee487d668b8c732b05be993eb84a6a25e40b0443b97

SHA512
fcad050d43a6ba518fdd359e1d5541b3ec18e9e8d999b958abb99a56203b645cb1e9173f9f631a428ae1ddf9ec96ff821a7e4f4ee52e11caf125a5cecc7fe59a

Download Submit
memory/1888-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1888-1214-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads