0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632

Analysis

max time kernel
150s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
Size

159KB
MD5

1dc70213b8a0530bc3370bd2902c2e1f
SHA1

d3aa47e6d89772edf88071073e9871be691dc42a
SHA256

0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632
SHA512

1803e55db092a78bc25384e24db774c8e590940773351859aff86fd5428f1fc36468a751df9e018291c4b17ab27b9460e001fbcc748474b4df2bab37dbc6d8f1
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhflixiE5gbez:JmCAIuZAIuDMVtM/jS

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4836) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1524-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000e000000023b74-2.dat	UPX
behavioral2/files/0x0008000000022972-6.dat	UPX
behavioral2/memory/1524-1640-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1524-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000e000000023b74-2.dat	upx
behavioral2/files/0x0008000000022972-6.dat	upx
behavioral2/memory/1524-1640-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\MEIPreload\preloaded_data.pb.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\Logo.png.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe

C:\Users\Admin\AppData\Local\Temp\0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe
"C:\Users\Admin\AppData\Local\Temp\0ea3e6322e9e804934b1036d5ccdcc2507af8bd46a976c915be0f910141db632.exe"
1⤵
- Drops file in Program Files directory
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini.tmp

Filesize
159KB

MD5
945d39a7bc90510ed53d480c7f150d2b

SHA1
adcd3390a698239676490f33f05777634930d5dd

SHA256
f132dd0c68fbbf97a9738d0f2c32c4b71df6a3323e2e421e13ca6fc512e969f8

SHA512
e19e9317a376fe39c582eeb88101755ef6ea4c704f36eb0d0b2654477fcd2772cb30fb5793b54f1c4e1659b65489f1593c36d14b4d9979f4d4c6c089a1bb6ccc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
258KB

MD5
728fa49f230f2aa2e5ce514012777a6d

SHA1
43aa5277e978bed9c91d76a04651f881447cd7b2

SHA256
d5be0203773b3cc0e405516d668a69f26c8f3cafcb45a1459e9efe72be6a8175

SHA512
6d36d6b89a1c552608f0ab86ec0f338b1612c43bd4fe88accb4ac9a13f4334636b397cc5c6d2c710daa48701382d1587ee67b4f1086b8c150a9fdfe8691ed859

Download Submit
memory/1524-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1524-1640-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download