a18c2aebad71d64c3ab11e03924bd533f9a04730ca82d5c8abcc7ddbe3fe46ef

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba02c5611b85e1ca697d9279dddf7320N.exe
Size

66KB
MD5

ba02c5611b85e1ca697d9279dddf7320
SHA1

c9b492e755bb3ad21a40646fe58042148fc8976b
SHA256

a18c2aebad71d64c3ab11e03924bd533f9a04730ca82d5c8abcc7ddbe3fe46ef
SHA512

e82d5c6b20fa865de8c5cbd6e16af5267dfecdbd30a623ccc67e824b6fc84f4cfc3d627fc9c985469538e234c62ce06e022239517e8a3f39685c20cdaba2aaf9
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zxviYiaE+UpCUpk:KQSo4iYiq

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233fe-2.dat	upx
behavioral2/files/0x0014000000022932-6.dat	upx
behavioral2/memory/4416-1122-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\optimization_guide_internal.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	ba02c5611b85e1ca697d9279dddf7320N.exe

C:\Users\Admin\AppData\Local\Temp\ba02c5611b85e1ca697d9279dddf7320N.exe
"C:\Users\Admin\AppData\Local\Temp\ba02c5611b85e1ca697d9279dddf7320N.exe"
1⤵
- Drops file in Program Files directory
PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
67KB

MD5
7d1aaa970321de64e08a1d5ab4f380bf

SHA1
8248084b5e824c853ed75b5cc28c85595b4d421b

SHA256
6d59c3811fdcd78c149dfe9f62440c9510aab52420a2fad1a5f888c33d5fba6d

SHA512
692aceed35d72524c47d28e811c569d35501e205281b591e02224804b9a7460681df63401b06a000668d7e8be15c6104b07d458a222274d6665f44160a7ac903

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
333165068c68d70055447daf9e45ae4b

SHA1
9da9761c87cf71ae8a338098aaa668ef7602b18f

SHA256
e4cf313a21d40309245692f5f98d27d716272ab6897c4241b5826aaec5916a80

SHA512
23592b9d67d00087f8b42c0f92a1d8c57e39b175cf0a23a875da32484a54fd52b017b6c4529ddf6f53dad9c9061f3df2a6efa1683097f217d18a7805b39c471c

Download Submit
memory/4416-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4416-1122-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads