994f2f1cf5a1a1af33e825f98bfc96116f5dc8006d5efeae1e59f5d69a4c3919

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48516815f382649015b5f93b5ed42f20N.exe
Size

49KB
MD5

48516815f382649015b5f93b5ed42f20
SHA1

a20750de3e09d47faf6db7ba7c59431bb2a81f7c
SHA256

994f2f1cf5a1a1af33e825f98bfc96116f5dc8006d5efeae1e59f5d69a4c3919
SHA512

a5964d6deed30799a7cf9e415fea10e7cf1a58a4dc1a7b0b9dac3394b80910e62f9744edf0da55dbac2981f6aff4a05c50ade1a006a8bb4be7918f781b600d38
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFI7:CTWn1++PJHJXA/OsIZfzc3/Q8IZkG7

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4332) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4344-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233f5-2.dat	upx
behavioral2/files/0x000800000002344c-6.dat	upx
behavioral2/memory/4344-942-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	48516815f382649015b5f93b5ed42f20N.exe

C:\Users\Admin\AppData\Local\Temp\48516815f382649015b5f93b5ed42f20N.exe
"C:\Users\Admin\AppData\Local\Temp\48516815f382649015b5f93b5ed42f20N.exe"
1⤵
- Drops file in Program Files directory
PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
49KB

MD5
dc178f757c78391b798001a2029e958c

SHA1
ba9288a65a73b0904e32fffbbf7badee3581d8ba

SHA256
5284a0806f353ea0d450ef4079e1aa057381c7325399908b49758ba218b6a6d2

SHA512
1dc8050b6bbdd486c5a6575214da10f7e52d3fd5bf70fe2b285fa891b9226a75d0113ce89caa331f89a4828d03628202488016544aa762b4e9473138b7513225

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
452c5240b559af88f49be3aa38479226

SHA1
7393a5ccb81bdfc3788a4e66d6d8cfcfb0b25432

SHA256
20f570903e75b479fc238de7e87856016350d477845ccbf14b668a77f54fb222

SHA512
9a8b6f64d1020e07757aca3be86dea053918dbc0e0875121b0a3dd94e6433682fa121b7e65fec29d842c7a44af285bab6a7b5b2d6ef36c03d5d7a0a20bc0c2a1

Download Submit
memory/4344-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4344-942-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads