fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b

Analysis

max time kernel
150s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
Size

77KB
MD5

cfc58dd8aba3afa9b57d489bb76d6c1c
SHA1

667d1c6bb7f25f11965f34656aacb27b4ea58d81
SHA256

fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b
SHA512

a5b37b4c5c8b40a94fb22e80e7f497623da9dedf441699a1bd1a4f19258ded8a14e7bc514060c2f385f00db554169553a3739a6a53b126db7a50da9c0f121106
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8/kJOM2kJOMr:fnyiQSo0d8

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5034) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1348-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1348-1918-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe

C:\Users\Admin\AppData\Local\Temp\fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe
"C:\Users\Admin\AppData\Local\Temp\fe1be8e2da5dcbd89ee2ce139b51f8aae1e64db134ebe696c3e32f24be18de5b.exe"
1⤵
- Drops file in Program Files directory
PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
77KB

MD5
d3e5f03f07a9028bca4271c646679331

SHA1
7178730582a971b8a613d52c7a26aec16594311f

SHA256
d3a41de3332610db2c8679fe1d547c0309e1b199a2a03d0bf7a31fe5ee0ba800

SHA512
6a62dae3210420c9d395e61629197b1b6131b9b8ba3483683e509fe755b7d321b551894c196a1da048d4a144aad78f22aa2977a77f6e6118c59e5b7fc3716454

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
176KB

MD5
2754732ea91db08d8ed322e772817793

SHA1
cd5c59463ca494cac6d2f590232a9adb649ac497

SHA256
5cb8f94a92aef4921a516becfbb005a0dccc796a569c69e26e5fe7fdf6249115

SHA512
51fdd4c620b05d66fde843bd39eaafea1bdd727eb26fea247b2b0e5e44260dfeecb28b6f55752544fc9ed805dd5188c4c627898bbbb7186571f0e1a7f58e6fdf

Download Submit
memory/1348-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1348-1918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download