ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
Size

46KB
MD5

8ff30e0e2eeb28932789ada57c96bab3
SHA1

364fc532ac06f389f1aebbee598373c0563da735
SHA256

ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44
SHA512

b47372b712be43d16c1995e09c26f101b1b97b1b48e24b1d1e8a13b6188ccfcbd7fc6120487e8329a9ad44396a080e974bc2c1d6c25a787748248c8a37ded371
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFz+:CTWn1++PJHJXA/OsIZfzc3/Q8zx4

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4572-1082-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4572-1082-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp	ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe

C:\Users\Admin\AppData\Local\Temp\ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe
"C:\Users\Admin\AppData\Local\Temp\ffafc4c110ebb0a732919e7c328ebe208a700487d1d3ef229fda499c150bdc44.exe"
1⤵
- Drops file in Program Files directory
PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
46KB

MD5
a4080b3a3f88e711ac873112bf50b733

SHA1
3db0a91c252e7bae8ea06bf0f02fd812c45e69fb

SHA256
b74bcaab745df61485a5ab36d39a9a998124daaac8214a10df84e5b0f65b1e20

SHA512
a9dad819682afaf0e835a717824a7e9f7003abd09f70c8a0863efe5e1d8c664f0683acd48930100ce81543e4a602afa9b03c7f628496a427f99439bf555a4838

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
145KB

MD5
6c167ff35891a497f2857a0da1c81034

SHA1
e0974ff9a8996bf66ae9ab0bb4e0a2d85a87af49

SHA256
d33643705a3cb2bd160957fc4a2dfab6356ee7c2993bfda025d9195b6e926754

SHA512
5b38d7e52634be55838a61bf8d441f98175f95133e37978d5104c4f5e660825765604a1a26df978c330d7732e646a0a0256e2dcfe2b02df0383097c1651cba40

Download Submit
memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4572-1082-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download