d91f8b9eddcf66d0268b83e49a4117c2b27b3ca1c74b005516ce514214adea8e

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6966c64e183106a2aa1e82d2912e5c40N.exe
Size

122KB
MD5

6966c64e183106a2aa1e82d2912e5c40
SHA1

07d95b5bb89d71e97f88865bac010e2daef72ce2
SHA256

d91f8b9eddcf66d0268b83e49a4117c2b27b3ca1c74b005516ce514214adea8e
SHA512

79a8380c920750a83634597d4e91b26d0538e47b831fbc57970fb5103b83d8b9098876e113b694c6c057a71d7c71e0ed7000082a64872b4eb3122d6cf5360da9
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxmTWn1++PJHJXA/OsIZfzc3/Q8zx7:fnyiQSo7QSoG

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002346b-2.dat	upx
behavioral2/files/0x0014000000022923-6.dat	upx
behavioral2/memory/2736-1740-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\hu.pak.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\en-US.pak.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fil.pak.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	6966c64e183106a2aa1e82d2912e5c40N.exe

C:\Users\Admin\AppData\Local\Temp\6966c64e183106a2aa1e82d2912e5c40N.exe
"C:\Users\Admin\AppData\Local\Temp\6966c64e183106a2aa1e82d2912e5c40N.exe"
1⤵
- Drops file in Program Files directory
PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
123KB

MD5
0e3453ec9df3d442868a620681065d55

SHA1
9d586f9f50a5a9a685078a555ac49d85b2845496

SHA256
90e9701307dac3c155655230c6ac60acebc14d44590f5f8e1a4b2ef017ad0b2c

SHA512
358c92a3054d8344e6b27697d432666d47d79cc5a0dd8d21fe4119d9dcdf1b7b596d254792fbabfe452c3a3027920809f3a4dda597103c4db25625db064f4f8c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
221KB

MD5
93e8b4710b6d579611e76e08f3f14d98

SHA1
a9d611db7c7129694a7b968dff6eebe7afa3661a

SHA256
57b4dd1d2463e4fec100daddae0408439ec6b7b2054a7e92793a25916c29b50f

SHA512
67591da120dfd77d6cd60610736e5622039e0e5377aec9a820eaed1fcd8535648170a0e48817090680a8c017030ea85784fc08630e6f9b3c4184ef0209f3d484

Download Submit
memory/2736-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2736-1740-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads