6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
Size

50KB
MD5

b32a8f0487191dc46e89710176884e68
SHA1

6ae59d4169aae236a4f3a20121190c6ffd226fa6
SHA256

6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a
SHA512

ddb2db79361ae1dd871f648d9f8f4a73485c01f6f81bb9b603bca698e53d1d3a3b5ac813c48569c93ac77b404c7fbae42d57eb13b5475bf9e9460364610d4f75
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8asUs18/8k:KQSohsUsOkk

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5353) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3768-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral2/files/0x0005000000022975-2.dat	UPX
behavioral2/files/0x00060000000168ae-6.dat	UPX
behavioral2/memory/3768-1220-0x0000000000400000-0x000000000040A000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3768-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0005000000022975-2.dat	upx
behavioral2/files/0x00060000000168ae-6.dat	upx
behavioral2/memory/3768-1220-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hu.pak.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\InitializeMount.m1v.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe

C:\Users\Admin\AppData\Local\Temp\6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe
"C:\Users\Admin\AppData\Local\Temp\6e8281b11b95b9e7007fde6cbf3702a21b59d3fafd8ff639d1d71c17efdf390a.exe"
1⤵
- Drops file in Program Files directory
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
50KB

MD5
efa109fef1e2967287e950c12ef394d2

SHA1
9a14e79cff7193a3ccca958720af4aafd33b954a

SHA256
b975dacb50be81dd35d2fb3bc0edb8495e61ae9ae781ae2d85bf21369c7d2386

SHA512
f3c54efd4926595d1ccbc2bfc702765e1486af1ca56bf0935ea10e2c9828ceda8daf821d9657245ff3aeb2181afd2553995149736db2b05076bde46b13f53247

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
163KB

MD5
0080cd74f31e784fd134ebd58b86fed4

SHA1
ba5def4393333e398c3d0b25544907334fe5ed7c

SHA256
a839d1eaf9197ab129113663b25d2e0707947212a50b61aaf9dd7d53fb35dc98

SHA512
fa03227cabac0c44532402338a598abc357261107e25f5ee4eef2371f4def4c75dbc65f219ee22f9f5e86badf5044506534fa17980d3f99824bab59f1d5964c4

Download Submit
memory/3768-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3768-1220-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download