e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
Size

130KB
MD5

3abc53030b2ed1b6ee20ace17757717c
SHA1

a97fedd913c20b1329de4f6206b7b509fddedcbe
SHA256

e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e
SHA512

27194987148c2544bd6680688e620b019eae08b50c18964dcaae7f6d189fa9d154e4435c8cbdfd690d049c997c80f6e05e70703c20d205668d93fa046862429a
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCv:+nymCAIuZAIuYSMjoqtMHfhfG

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x000600000002329e-2.dat	UPX
behavioral2/files/0x0008000000022996-6.dat	UPX
behavioral2/memory/3592-1788-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000600000002329e-2.dat	upx
behavioral2/files/0x0008000000022996-6.dat	upx
behavioral2/memory/3592-1788-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe

C:\Users\Admin\AppData\Local\Temp\e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe
"C:\Users\Admin\AppData\Local\Temp\e6a7e9290b735317afb828d4e135a72d42599e42061f5eb8b0b13f01f61e3d0e.exe"
1⤵
- Drops file in Program Files directory
PID:3592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

Filesize
130KB

MD5
11f15decc73ebe140b2730808f446245

SHA1
98f0c09f19fb61009a80ac91017a1b0290f130e6

SHA256
53bd0730ef895a835f81a90def87d93aea6ddf100d992b1b5f1799670806e7db

SHA512
02e815afa3973c95ea7c388a09501d16dcac6bcd12dec9cf235b5af5e07222907572232f0838ee0317d41fb4d6219163500b4f9715fa07517281efbc823b2a49

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
229KB

MD5
95095cb8d535eb9abdc7ad02a77f2dd9

SHA1
86115be182f2988cd15ae44702b5c28fa357c420

SHA256
ae900e9ddc5635ad7237d22f91db484792593e5dce6057e18f2976c522ea7ef5

SHA512
940a0652cfa57235c04820a0e4c6330701170260b319a88345f285641f238ef9daa9cf03b551670331dc2bb74bba3b540eff8f79e49962730e8caf76f28601c5

Download Submit
memory/3592-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3592-1788-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download