664efa6e886094dbb764aab9d0ed347d875c1bbde8965becec45537393aea4e1

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

567b14738b31d1d464f0ca41cd83fcf0N.exe
Size

66KB
MD5

567b14738b31d1d464f0ca41cd83fcf0
SHA1

60a82401051b33d96cd5695630a048e1919802d9
SHA256

664efa6e886094dbb764aab9d0ed347d875c1bbde8965becec45537393aea4e1
SHA512

35ed93ad91dd26c828f31581202fa9f623a7aa40b9f5dde190f09be2e1966322f26846aa19f4bde255122c42c49bfb306d326bc0d2af4749f2e663f35eba51c9
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zxviYiaE+UpCUpX:KQSo4iYiN

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/316-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023496-2.dat	upx
behavioral2/files/0x000600000001e6e4-6.dat	upx
behavioral2/memory/316-1008-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	567b14738b31d1d464f0ca41cd83fcf0N.exe

C:\Users\Admin\AppData\Local\Temp\567b14738b31d1d464f0ca41cd83fcf0N.exe
"C:\Users\Admin\AppData\Local\Temp\567b14738b31d1d464f0ca41cd83fcf0N.exe"
1⤵
- Drops file in Program Files directory
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini.tmp

Filesize
67KB

MD5
dd7447cc5df3bea0709261324937a74b

SHA1
defa4dea98c49934ef2b6ca182d5c186aabf7b48

SHA256
f590db7b9c06cb320cd650dfdd2699c83fd05d1cd72a898fdaeaef2431cad067

SHA512
c842a6a60055a6b3a471ad45c41712b88d5f76a18f0f3cbc68f10eaa17cdf3138a1d666cfa39028c4bf3d45f27b2d73c137b1157dc39b98f37f913a8f0a3d1dc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
c4e8d08dc0bdf9ca55cb074e67998253

SHA1
d5670ed032f0edd3f77017bfaa82f62f84fa0f6d

SHA256
eeafbfbe0447c3b7755cded730f8d1c54d8781007e857cdd20a021491e7f03de

SHA512
c30e500127096ee7e003fd7ea0b66b904c15c644ce2c64edaea06f1c960905d557c39762d839a29392e8534e36ce0422e7557db67d04f705b7dff773bee7d6b0

Download Submit
memory/316-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/316-1008-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads