e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 04:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
Size

96KB
MD5

123fd0ba7a5a7f2ee5add0ac5dda7cd0
SHA1

2bcd0a774113a3f896d89929f5a6005628c19749
SHA256

e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1
SHA512

e007de7a1ddd9f15d153334714a27a4c954e43f3906b535e0b9d037e551af9c66b08450a3e079504e71dd6b4af0accc01df13237b6762cea941c2736b6ea359f
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfq:hfAIuZAIuYSMjoqtMHfhfq

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x001c00000001e97e-2.dat	UPX
behavioral2/files/0x000800000002298d-6.dat	UPX
behavioral2/memory/2528-1042-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x001c00000001e97e-2.dat	upx
behavioral2/files/0x000800000002298d-6.dat	upx
behavioral2/memory/2528-1042-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.tmp	e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe

C:\Users\Admin\AppData\Local\Temp\e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe
"C:\Users\Admin\AppData\Local\Temp\e8621a83746aae614626b36ff434d77ef9350f2455677bb1818075eb30f971e1.exe"
1⤵
- Drops file in Program Files directory
PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.tmp

Filesize
96KB

MD5
d220d836b60741b7715afb544144afcf

SHA1
13b36440192765569bc36f3927282cd2ac146107

SHA256
0ee2b7a913b4aed51f6d162ad5dc37341b5594a5114f01cd02c098f386ee1b9f

SHA512
d6202c141274821559aaf81696a5ae027af47d156b4e2fc196ca331e30919aa745df2ee42e79df98e9324a4eb67581054e37d0c56c1e465bf46532e4b8c03c77

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
195KB

MD5
8cdffb40e1ce3790fb36ec1f4a59f2f2

SHA1
41db7518a5984fc82e27d05d1edcceee01a5e2e8

SHA256
a9a5b037c6c1d4d3829cbc8a728dca1c0deead2a3ab6de3e46246746fd87db05

SHA512
2241c44f362e1e051c5fc5f8df2d2aed1deb05d87c013438e61961cededd3429aec3a0911cd604f9e0ed62761583b163071c239f5b09b1d69934781a370c570e

Download Submit
memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-1042-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download