45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
Size

49KB
MD5

c701fc223aad55f6eb6b3ffe260f8a86
SHA1

51db080db3fb9187e2588dba0ace0bf4e6f7379e
SHA256

45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7
SHA512

e3705d8820b896c0e7ed93585cb25762feb6f90dfc0fc75f4c7f2df130faca70f3f71e156511f7d9f2bd8d869f80251a3dc0d5f6ac1c36c10023047e5ac67607
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFzK:CTWn1++PJHJXA/OsIZfzc3/Q8zxg

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4651) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1128-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023472-2.dat	upx
behavioral2/files/0x0014000000022923-6.dat	upx
behavioral2/memory/1128-882-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoDev.png.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe

C:\Users\Admin\AppData\Local\Temp\45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe
"C:\Users\Admin\AppData\Local\Temp\45f3aa645b9b0d8ec4da494383804c5308db65e80ae255c860c3349935ea87c7.exe"
1⤵
- Drops file in Program Files directory
PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
49KB

MD5
5a3c3c49fd80ca5bcabc44223bf97292

SHA1
735db4ef82568180d30ae6f5da96b04957365c3b

SHA256
76b11d6f2cec8cf4cb00af8396effe954613e0f7995ff55a72c53c9c46aad0f2

SHA512
3984eb8a77da333335d72856a9b9dc06142b5f41467ca49020bda24098e00db997b23ac8c32cffc990a728d9d9eaf3946f00100c0f1964fd031fe4435e2ecb24

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
b48b3a9a6475f940a4c360dd5f821942

SHA1
921defc9c0145b038b3525fae84df3adbb1adcd1

SHA256
c7c0dd0315cc216c11e5353e538e35199d0326fe5ec3cd8e6be726d7e53bd6f0

SHA512
fe445564dc8e81f566055a4d56840a9c1957b005ba61bdb5bfbce8eb43c1f70c285062c5b58b500169ad17e4ccb5971e5a36881ffa86abb2de2f210fe5227eec

Download Submit
memory/1128-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1128-882-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads