c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
Size

70KB
MD5

cca8155dbbb7495dd5e3af2684901a94
SHA1

9c2779494336ee14ee60638cc9b93d9bc65cb115
SHA256

c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c
SHA512

b4d127c008cb215145b8df1debb7d90cada5498ef410160082da6afc0dfbd91ab0a893758d8d314bb1eac3063ba78a361ab8cc424b4616f6e033bb23f187481d
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJXGiXZBI1qCpS8v8wlkfwFTFc1NsHpwsr:V7Zf/FAxTWoJJX0rv7cL4Ssr

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00130000000229a5-2.dat	upx
behavioral2/files/0x001400000002292d-6.dat	upx
behavioral2/memory/4004-1734-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Crashpad\metadata.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fr.pak.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe

C:\Users\Admin\AppData\Local\Temp\c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe
"C:\Users\Admin\AppData\Local\Temp\c5e8ddbfa495d81ce527059b362cf19f8d82d05a3321e0fd3866477ec6a6090c.exe"
1⤵
- Drops file in Program Files directory
PID:4004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
70KB

MD5
a8c6d601badd84106a2e8e940cbf0008

SHA1
bb1a25b38eab0e6d7cf0773cb23db8f9e5b71bf3

SHA256
1261e0819000d2d8fdb401ff03c1cd0e6269d3d82c6e934fd22a62ef82d52932

SHA512
f99a8fcb1ed8139c4bb6d3aee333b449d39e56b5766095d5b51bba77081e8578998a9702a8981fb74fc8595775d093c8ef48902fc96737a3c669b6ec0a10e6f5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
e99412e9b276f2b0b1ce7a563897a2a8

SHA1
74dfe9e65d80743a0c4b13799f289832bd26cefd

SHA256
33d5ebdb8c3d7ee7497f95199e36aa338fc2f82835b0eec503ff822bc081fa6e

SHA512
9b360f6de6e6c3ea3c1939ceace7f32e1d45c9e6f0183a332df256ef25ac50f181019b9be68ddfb71108353188530b1a3a0f337c175cf71c7b05181c66cea663

Download Submit
memory/4004-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4004-1734-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads