ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92

General

Target

ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
Size

129KB
MD5

358b9e825c4824e9913b7461eae21b08
SHA1

fdb58d4fd696489f53b8c765d64a36210d2e0864
SHA256

ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92
SHA512

a87fc6c1da737c3f0bce7653c2c5cefafa2e8ab41042de561ab921ad0c0ea1dc19b385eac1c1a7e65f410811a8dd58f55fdd2d977e3b61b4f29db16eb2a600d4
SSDEEP

1536:V7Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCe:fnymCAIuZAIuYSMjoqtMHfhfU7JK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3756-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/3756-1598-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3756-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3756-1598-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_200_percent.pak.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe

C:\Users\Admin\AppData\Local\Temp\ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe
"C:\Users\Admin\AppData\Local\Temp\ebd36e1bf766c1cb93499cda7f49f77ef51c60d46d856a12a19e168b393e4b92.exe"
1⤵
- Drops file in Program Files directory
PID:3756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp

Filesize
129KB

MD5
7332a498cdf7e9a77beb6f80f177ebd4

SHA1
8edfb794a47abd95044cde6702ed81c11f5d02af

SHA256
5d6a9a392831e31c25454d2e1736598221f196b57e970546a148843e37509333

SHA512
52c7c4609122665019203c22ed0f03212d337f33ede3dcc36e321da1892db35f7f301d52556585a0524920c853a2720f11bd35d5ef214b9b2f030107d226bae4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
228KB

MD5
d55c2827ca2a7a857544d1147ddd0668

SHA1
16567ef41bf15b92493bf3f1851ff1047ad46a26

SHA256
a10e88b66340dee03bc9e1590a34aee6065cb6676e750e992498b4b1ba9c2899

SHA512
02c34922d050ae14f666e4c0e888314995e93f0b1cba35a7aa8d07034b75657e6662c12a8eccc56ef99a5b249b5589619768e657607bb0c3bb354aa05607fa78

Download Submit
memory/3756-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3756-1598-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads