e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a

Analysis

max time kernel
150s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
Size

83KB
MD5

36a92ac02806fa2776dd12483a6cb49e
SHA1

e00b43b0cb8463893b067c6f80c5a24504fc090b
SHA256

e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a
SHA512

6141db3cfa9a1a54256d98ae27a513a85df04069d014a82e3e80957698167264d7a156fabd56d4dd6184467a6ed50cd11c4849e169e1ec04767b9e163b0e9c6d
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8VCnXxX81M4q:enaypQSoPXxXz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/1832-1769-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1832-1769-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ca.pak.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe

C:\Users\Admin\AppData\Local\Temp\e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe
"C:\Users\Admin\AppData\Local\Temp\e0d49b8213c87fc566369a03f94fe17388b3f62ba788751d4acbf9265f64d88a.exe"
1⤵
- Drops file in Program Files directory
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
83KB

MD5
9172fd73cf3cffe41c52d5096189fb94

SHA1
efc50e60df09f615a8b1aa34b6ecaa2b15779f85

SHA256
03ab25d5d35c748768c86bdedb6bc86b894ab2d95f4a073de83b33ed52cce00a

SHA512
501a42d79df1b39b2493af6c7a9e49dab7d6bd1b01098c2fec5022a39c552c181666e859b34650907b4d9239b2e7884d92d8f6bb5090a40bb89b7e5a33135d9e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
182KB

MD5
99f45c7fc53013779676f40b6039fc44

SHA1
8d4e80b713f1601f4baea93a720d390205a49bab

SHA256
ade59f4edd00d9a8909fb711bb6c7c984c507a2bc5ac2b3f26d47e222693ef2f

SHA512
b118729e5fd7e8c7b30c93a6d6c0fbf901a2307f5ce67045d9476ec82761217986fa29da649274697d56b100a2ac7916d40b182400e3b589815f624cf8da5fc1

Download Submit
memory/1832-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1832-1769-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download