140e41547f25fa6850039865028aa7448e76ce32b312ee5a336a4a978af44a53

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 08:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96b795c6f4718211a67d8a2eba35d3f0N.exe
Size

49KB
MD5

96b795c6f4718211a67d8a2eba35d3f0
SHA1

28372ef73200be18a4ab46c743aa9c4bac673be4
SHA256

140e41547f25fa6850039865028aa7448e76ce32b312ee5a336a4a978af44a53
SHA512

382a24ce761fdbcf5bfe3f887c493ca9a3b710f8c03c216831a5253799afd48ebbf132af3b2ce4a45dcb2d1bac44372c351f4d3d1b16239666abadae020085fd
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zxDJevJebA:KQSox

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2424-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000a0000000234aa-2.dat	upx
behavioral2/files/0x0014000000022909-6.dat	upx
behavioral2/memory/2424-1150-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\concrt140.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\v8_context_snapshot.bin.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	96b795c6f4718211a67d8a2eba35d3f0N.exe

C:\Users\Admin\AppData\Local\Temp\96b795c6f4718211a67d8a2eba35d3f0N.exe
"C:\Users\Admin\AppData\Local\Temp\96b795c6f4718211a67d8a2eba35d3f0N.exe"
1⤵
- Drops file in Program Files directory
PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
49KB

MD5
15912c997a071c1055e0ffc2ac00b6d0

SHA1
22776ea91325feb284c0e6ebe2fa45136a8e586b

SHA256
0bac93d52e3e8ed8a14e7c768d5b8811b125346d8a7c2c110c02ec739df77431

SHA512
74058a84ae1e4a7adedc8b43d85db7565f73d04d3e7c864cd650ad5dbdc689efe880ef84d8ade4c26dd66ffe9c6b7d7629b9a9dbea906dd6ee86bcc7b0cdd59e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
9a0d254ad3324f045f7fd258b5102ca6

SHA1
7c34dcf15e5042d8b060c6b6b91d7e773fa8ffb1

SHA256
82b69e480fb2972174208995f7a6a6a2e80ce4c0577820fec64abd67b4bd8dc5

SHA512
b9db790a2f8b1b6db2a1e1e3f5abad8f01ec53bf6f93c4ba80f4376ed006900fdfd061a9019e0be61a7fe0907527f5833cdfb494746ba7fee86438b06bf1b787

Download Submit
memory/2424-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2424-1150-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads