0fd630cd2a3a40e5a7c91e7b40b82674fb063106fa8d312e89c6ca9b28114f94

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5727562f999db65133c8b7e376ce0d80N.exe
Size

53KB
MD5

5727562f999db65133c8b7e376ce0d80
SHA1

92dc6e7a83477ae7926dc7bde573a0144020f193
SHA256

0fd630cd2a3a40e5a7c91e7b40b82674fb063106fa8d312e89c6ca9b28114f94
SHA512

579d06b40b00c05ffbe761f6f122b7d7b40816397de4ab1f6daa8c490ab0f0938ece521d3173be1c5e13cdfabf92e53ba416a40aa219dab7df2363ca9b1e842d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcB:V7Zf/FAxTWoJJ7T4

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3064-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002345b-2.dat	upx
behavioral2/files/0x000600000001e5db-6.dat	upx
behavioral2/memory/3064-1962-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\FormatSync.mp4.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	5727562f999db65133c8b7e376ce0d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp	5727562f999db65133c8b7e376ce0d80N.exe

C:\Users\Admin\AppData\Local\Temp\5727562f999db65133c8b7e376ce0d80N.exe
"C:\Users\Admin\AppData\Local\Temp\5727562f999db65133c8b7e376ce0d80N.exe"
1⤵
- Drops file in Program Files directory
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
53KB

MD5
c0f0c5cf45a7e62dfb5addc9078f5fca

SHA1
344f301e9c3e3e5a7de2c87c75a0eebb988abcac

SHA256
e21d4782282b076d2404a22aa3d521c1b54873faf117648ba6c6c01ab327e314

SHA512
9f4b8126c317215ab2a5ae8094e3c6637413e410db45afafc151947eff7825a7475b6465ab1d214149020530cc1e6d78aa94cbdcc6617153871440e5a4b82457

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
57729afac554d3c82ca4f831f2dc6b73

SHA1
4af56cdec219eb8a11a61473e137159914ad2502

SHA256
1d31780079febbd0178559c65d996153da77c4b2515276272a5f5b2478587913

SHA512
7ca34371047b98cc92bb95d848eb2605bee5f9f69eb864f3e4aa6b6e84e1950c5927c533fa51523ae5ccc531c21ce501f00bb16c48b230398f93811f366e9ef0

Download Submit
memory/3064-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3064-1962-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads