fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
Size

192KB
MD5

8449a5305fe771748ac7621431633df4
SHA1

7540fa1ef29ec9c2376cb8e8b2c7456beb471218
SHA256

fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5
SHA512

c7b1b42dfa98b53e9a998d615505562d49b54cb2e0689ebe59b2b33240af79bed1dc17116ad81425c0b9cf34d3ee5be5ee80b10967d8ae7db863e9981ca4e3bf
SSDEEP

3072:+nyiQSo1EZGtKgZGtK/PgtU1wAIuZAIuOrDrU:JiQSo1EZGtKgZGtK/CAIuZAIu1

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4718) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000b000000023b86-2.dat	UPX
behavioral2/files/0x000800000002295e-6.dat	UPX
behavioral2/memory/388-1578-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b000000023b86-2.dat	upx
behavioral2/files/0x000800000002295e-6.dat	upx
behavioral2/memory/388-1578-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe

C:\Users\Admin\AppData\Local\Temp\fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe
"C:\Users\Admin\AppData\Local\Temp\fe916bfe21ca78c09e6ac314890441ac81bbffd5859e192d18f57e69c15d77b5.exe"
1⤵
- Drops file in Program Files directory
PID:388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini.tmp

Filesize
192KB

MD5
c17ea2608c213167f7f20bd4b3e82d09

SHA1
1c4a730a602fdaff3d6e8fe5339163b12de4d505

SHA256
33fc8c8bb1b8aac49f8566833753ba48e42eab37748d852192e1443b197638cd

SHA512
153270d0fc51d0dd1ec2f80435c8e61d7afee5d903e48f57729da4e5a2ee848d4930325b6c1ad263854fdf12820d7a4bf9ade432f8d1372598457875abba688f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
291KB

MD5
8a5c0f68e93c4a486285961a95634a26

SHA1
a0ff6a91d78f1b947a41d1cf6fb3d85969429be6

SHA256
621d3d87bd39010489c241098767f1c66c859af5fad54e477526aa98e2929d87

SHA512
c43588046f9578ad389aa9ee72c6d98e365bf0e503e3444162e47d9d2b7b4a29a30ce06c2a1962562e8684b18e2aaacad5b5f73d86d3928e2918d585998bcbd5

Download Submit
memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/388-1578-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download