9c2d839404b9ff317fd86bb74aed5bf63b2038e7b9a6cbd2e5c86d86bfd37323

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0122ef19391ba8a15732c1abc9ade560N.exe
Size

45KB
MD5

0122ef19391ba8a15732c1abc9ade560
SHA1

57f4a60a969611aec3c4318d67bd98277f4f0275
SHA256

9c2d839404b9ff317fd86bb74aed5bf63b2038e7b9a6cbd2e5c86d86bfd37323
SHA512

0a9381444b775eba3d10b236c30eb3cad7b6502e5fbbe94c969e6d8808eaeddf14f9db87798436c7cb2ec1dffd65eff95251304f5395825af1966e7ff84b2eca
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFnz:CTWn1++PJHJXA/OsIZfzc3/Q8+G

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5060) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4196-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00080000000234bf-2.dat	upx
behavioral2/files/0x000600000001e6e4-6.dat	upx
behavioral2/memory/4196-1078-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\Logo.png.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_wer.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp	0122ef19391ba8a15732c1abc9ade560N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	0122ef19391ba8a15732c1abc9ade560N.exe

C:\Users\Admin\AppData\Local\Temp\0122ef19391ba8a15732c1abc9ade560N.exe
"C:\Users\Admin\AppData\Local\Temp\0122ef19391ba8a15732c1abc9ade560N.exe"
1⤵
- Drops file in Program Files directory
PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini.tmp

Filesize
45KB

MD5
85d9482d6a915faa973dcc5155b4e793

SHA1
adcd4ae28de68d25919e4d2cf3ed446375e3d258

SHA256
053a67de460d8e520231349b4b526d0ce81badc3da941135bffd04c90cb1bd3e

SHA512
29f8188c380e0e3c513a13681702f6bdf4351bc86f709bf5569e7a4253a821ce4e75d75de7386c2332f716c386f9f21e20f385367e9935bc709c62930f35a266

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
4ea6fd3b853cf8b51fb547784ee62774

SHA1
dbd7727bbd5f95466f8df119b1a235e35e5a3601

SHA256
50c78adef100f9fab3f50638f8ab6b9f9cb4c653f1dd60707adbaca5abb76d69

SHA512
c6ee8187b8e5811fe7b7ff47c63e1dec5f97da4942e134968b729d3e530cef78c9657dfdb8aca9b69d22bf14f60eeada7fe3483788363bb0eefc20952787ade7

Download Submit
memory/4196-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4196-1078-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads