e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a

General

Target

e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
Size

67KB
MD5

1bcd71607e40c1716da0e4bd02a85ada
SHA1

d5c4a5e83896eea50c7b9fa752faa11c7409707a
SHA256

e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a
SHA512

445b12a9a5663e0f67eeaf397bfe16565ab612cff6aa47386d8aa1ba29528bb046a777ebc6f385e01366c5978d2d6a016139621cdecfe8b22622cc5cd105508a
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8f:+nyiQSoY

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4712-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/4712-1958-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4712-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4712-1958-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\mojo_core.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\ApproveFind.ram.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe

C:\Users\Admin\AppData\Local\Temp\e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe
"C:\Users\Admin\AppData\Local\Temp\e75351d3520e6543a58c1ed5de9b63e4e130b5b7a510d170629e33f27154cc2a.exe"
1⤵
- Drops file in Program Files directory
PID:4712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
67KB

MD5
975416cb19d620cc2f12d65fc13c1cd4

SHA1
fe22882c3ae07b27c3835d018ac88f78a5f1af1e

SHA256
84e12f7eb00964c25b3e9ddbc2b6ef34fe277eac7c0fdf26383a2e3eab27642d

SHA512
7b075d95ce98ac95d2e3b5a3f045745bf94116c7517b13844722ee3b68f286a765b038837d38fe7bdddadf000dc316d18cf9375a2fc2a25f6ead2b7e0b1bd232

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
166KB

MD5
803cad589aad57b08bcccacfae60ab8e

SHA1
d0207e08adce0ba0f1b64431594c96630c7b56a8

SHA256
70e0577edc2e7ed2600246e79a48760408b7794a3eec184f86cdbfd852fb7b48

SHA512
559c7b77b08c670cd3f6d361cbde3cd2b1a3162bba99a31a31b9aa1d69499938a20829b6ea6285cf955ef75c4cc2354c5ebc1a37885c12afadec67b6527e7b15

Download Submit
memory/4712-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4712-1958-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads