e3b1f8ee7a64e38f1f0ab4d6c5968be4560cb79d424e026fdb6ba4592c147ca2

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26341df8a0256d8d123a3a8679946360N.exe
Size

78KB
MD5

26341df8a0256d8d123a3a8679946360
SHA1

fbbb33112a4b05bcaba67811a0a345468568b1ad
SHA256

e3b1f8ee7a64e38f1f0ab4d6c5968be4560cb79d424e026fdb6ba4592c147ca2
SHA512

f3ec38e4a6b4b3598d5cb229c61bed2b3a08ba34829bdc778592ea20d392d6c58ba2d636d7f922a40cadb32e3c3c25872f9b965e9eb5850c372faa14c0fe1d10
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxSm6yB0kwNBQ0nQi:fnyiQSoCvi

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4307) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4124-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023437-2.dat	upx
behavioral2/files/0x0014000000022946-6.dat	upx
behavioral2/memory/4124-1750-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	26341df8a0256d8d123a3a8679946360N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	26341df8a0256d8d123a3a8679946360N.exe

C:\Users\Admin\AppData\Local\Temp\26341df8a0256d8d123a3a8679946360N.exe
"C:\Users\Admin\AppData\Local\Temp\26341df8a0256d8d123a3a8679946360N.exe"
1⤵
- Drops file in Program Files directory
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini.tmp

Filesize
78KB

MD5
d02ee329c29bba5004f3d86e8a875be2

SHA1
55b28025a1c27226d7ce3c7b6ae80ec9a7f96735

SHA256
822c70b1d27c44020baa079f35f6c7ebd0962e49c25a9114352622a01a1736c6

SHA512
532ef021f47f35ad616adef4791d70fb7f65666160e333b321f09f8897c4866aeb6b19d21766ff5be1e3039740488efa7279c3447440f95aea4842776dd84712

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
177KB

MD5
0e32393d87f6aef19f92bae955a87bd5

SHA1
941d46be9ca8b1c11975db654e5298821577b6cd

SHA256
f2d5e2db19f27fb9a45c6445f8fd06ba4f7f2ff95465c420da84b92fdcd0c5cb

SHA512
dea931a09d07c7081286ca0d4adf359ed585d8426c2fc10ddc61d45c6483a4f68c98c28e8fd0441af037f35b7bf71fc7af4740eb2f0aec1233c82aa686792069

Download Submit
memory/4124-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4124-1750-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads