eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5

General

Target

eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
Size

73KB
MD5

338cbe1390d1ba02421bb4dcd3837a13
SHA1

29d9686e199cc511daf1fb7600f2f26d45c51c86
SHA256

eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5
SHA512

d45a8c29bdcacb8f8b895b954ba472e0ad747749df3ee7880290702da4a45a2516b0f60c599c34d38950bce7fd71e4508a1e8b8d0e12914464a4684255f51ee5
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxt:fnyiQSoO

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4850) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1336-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/1336-1784-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1336-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1336-1784-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoBeta.png.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\desktop.ini.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe

C:\Users\Admin\AppData\Local\Temp\eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe
"C:\Users\Admin\AppData\Local\Temp\eec030190704c1cf027597325a58004beb7cc27b0bb7c214498512d750adfde5.exe"
1⤵
- Drops file in Program Files directory
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
74KB

MD5
558eb405c6b7a76f5f547fa97abe4f7d

SHA1
6444aad1d84964f3fb35599e9363a6b89024aaba

SHA256
3b9f345ffb3ef3579d18d75b64c295e70c40d70320e55d29cf1354997accb9ea

SHA512
6a1b83dc1c888fd35a857a0005f28ece6c1d63533fdd4098e2ff8dc2c1465f759aeb415ea22905927b58c4ec05f9edd6422623e1dd7b7bbf13df8ac85e5d302b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
172KB

MD5
07445a4896864e3587814b76cd2ea3fe

SHA1
d7e1a632395080f83e1eafe4881d7d6d0d0cb6e5

SHA256
1d77885aa7ad1dbacc8ce4cd51c3c47a99853e1df5da8c8c47ed52ee8490adc1

SHA512
8ade41686ce9b98447c17b2efe430473cb5e5c2b6b341593bbf1801a010e1799c569961cad99d13ec952a1e5fb21318ce3a5daad078d8ae163c0dc98f7989a53

Download Submit
memory/1336-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1336-1784-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads