e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
Size

107KB
MD5

4e9f200f81e5b0aa2262d2ef8701ccac
SHA1

bc09a59a5c7d6cf8e4698064ec0cf920ebaf8cd4
SHA256

e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9
SHA512

f65a9db9dd3c4cd5153aa5ec122e3877d5631ae1af4d6ff36913fd857789a7753ae9e37144ec70688a3748a48b8dfb9bb60f7ecaa1c24958129c31baf73c0932
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfOW:hfAIuZAIuYSMjoqtMHfhfV

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/memory/2904-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x00090000000235db-2.dat	UPX
behavioral2/files/0x00060000000168ae-7.dat	UPX

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2904-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000235db-2.dat	upx
behavioral2/files/0x00060000000168ae-7.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_wer.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\LICENSE.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoBeta.png.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\it.pak.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe

C:\Users\Admin\AppData\Local\Temp\e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe
"C:\Users\Admin\AppData\Local\Temp\e015f951ef9d5176d6c636924358ffbe6564787f6cb0ceed15c75595bb0958f9.exe"
1⤵
- Drops file in Program Files directory
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
108KB

MD5
6fa04c2743a177806bc48098d0f80821

SHA1
a309c340aa22ed48034f4c18f87f1732bea5e638

SHA256
4da3442c0090f3da93818b4df255a09452f43bff4189e8d0db2484062787ac5c

SHA512
89aea1f878da7fba178ec989af98961703e39557c7c78d08a47d5c9afe04249524ff89e536119acef6727cee40e9ed985bc5e20ec4f76c5efc76b3de15989e5d

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
220KB

MD5
a851fef7ec8f3f14f31dd33dffe50fbb

SHA1
85e868f2d6ddd0bff2184e062a1784f6c73c91d5

SHA256
8b502d6ff3ee128e26a3186183bf30bfc97cb6e9634b411966ba72193a5835f6

SHA512
918bc17b9047bfb5b1dfba041a03b338d637d37015eea807c3286a88832d1129cd6ff88beda203015734c4a3f0d0cd5d9ce7f2802b373b6ae8446bf769630054

Download Submit
memory/2904-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download