e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412

General

Target

e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
Size

97KB
MD5

494914e7bffe4e7fafe724ffb189ebc0
SHA1

7fc82296e9782bcfd3644078c8b205bf09f19019
SHA256

e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412
SHA512

e94b4f46157c1063d7ab28d7f7a3d685c2ca372368cc176ecd4af279311b7f63be941937287944fe2a7d898c4cb1b121982bb1dc41322b796f51dffa92eddb68
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfY:hfAIuZAIuYSMjoqtMHfhfY

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	UPX
C:\Program Files\7-Zip\7-zip.dll.tmp	UPX
behavioral2/memory/3992-1020-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3992-1020-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\desktop.ini.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe

C:\Users\Admin\AppData\Local\Temp\e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe
"C:\Users\Admin\AppData\Local\Temp\e9258f41cf6f28fcf2eaed1c04b9ca3135e9bd514b98368050b81b25b7e3f412.exe"
1⤵
- Drops file in Program Files directory
PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp

Filesize
97KB

MD5
534671334e36a048cc570bde292e3ace

SHA1
1b05d98f56e531604ecda6d0558a1cb55b787cc6

SHA256
e27a943463541cf897e65fe4f76511e6b6a75ee7697bced6b7bab8f7a9ab8dc5

SHA512
d8d673a911e1cfa6d698f74c6e4bfe7408d347cfc91fd9abdcdadeaa5de7e53df67dd5935f42e304731c79cff788c890c81965b83dfa2cd2097f1083f5f063a2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
196KB

MD5
585424f46447aa3b99451574cdbd0ba0

SHA1
0c2462e3571b7beeb908a79e8c78eeb39c7cdcde

SHA256
945bd2a8594cc11f8f277e1aaa33971da4bf44dc578a67e81cfdb21792560b3e

SHA512
962b0c1c8aedeeca7145a03c00fcc015f0176a5c605ca6be84907560905e308c8eb8e3b7313ba41939d9577170bd39668321df2f0a304c8a59a0893619dbe60b

Download Submit
memory/3992-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3992-1020-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads