d27f8bd2e292bd360e2d49b945e61faf07f9c761ffd3abf745df9714308b5991

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fea1b165c0ab995449e8a7d4beda370N.exe
Size

40KB
MD5

8fea1b165c0ab995449e8a7d4beda370
SHA1

aa28d443c37369ed9db9183df03a4e38f00cae26
SHA256

d27f8bd2e292bd360e2d49b945e61faf07f9c761ffd3abf745df9714308b5991
SHA512

525a24f5eaaaacd7abd3a755db28ce1363d222f7da045ffa2b7a75263666ddb9142c9c25490f1f8e7de7ac7b459cf608fdbed9081f9ac3592b3985e7e81dc450
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyA:V7Zf/FAxTWoJJZENTNyA

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4349) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234ae-2.dat	upx
behavioral2/files/0x0014000000022909-6.dat	upx
behavioral2/memory/4484-1784-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\LICENSE.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\mojo_core.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	8fea1b165c0ab995449e8a7d4beda370N.exe

C:\Users\Admin\AppData\Local\Temp\8fea1b165c0ab995449e8a7d4beda370N.exe
"C:\Users\Admin\AppData\Local\Temp\8fea1b165c0ab995449e8a7d4beda370N.exe"
1⤵
- Drops file in Program Files directory
PID:4484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
40KB

MD5
f13f89b8ef2b7138fcd77cb1992f6c16

SHA1
5585cbbe2a904078f8fd629c1fe97fcaf72cebe7

SHA256
0668f9977b251d09c8337aaa09468b3d4061223dd2c6b806ba0df3dd138cb56b

SHA512
8c9360ad8b131f18354eddf1b697d3858d07575eccdbb1bbbc102d06e306aebd25ca003de6215157a82fa82592fe76d2ef9a07b16c7295b98c22075b6b351a6e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
4ac29945dadcda1fd796ebde23ee883c

SHA1
c49d41539432f22fe7d15b7d945f4b647b784611

SHA256
c63abd5edb4b2db981a6aeaede058bc8663ee0af022333857bc27e2d22270ef9

SHA512
00764e769bb9adb0feac0e308d156b12e44e6097d887082fe873521e4762cf28e05b369cf8c907ef3a295e76ccbe0e0eef477f1104062efb8a8cc6fba1e4c8c7

Download Submit
memory/4484-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4484-1784-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads