e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
Size

81KB
MD5

515cae0478ed6a74b91de9d645daf2e0
SHA1

1c6268de82b3d1b1bd496e048f7da46408d4a6a9
SHA256

e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a
SHA512

4d325e18d96510928dbacdc850870220601e33bea374e6a073752284fb094202c64aab74bee8da8353e539ab3579084cc3666fc2bfa053147cf057cc1b9948f1
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxFy5gfcL5y5gfcLN:fnyiQSoXqeaqeN

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4861) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/4128-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/files/0x0006000000023077-2.dat	UPX
behavioral2/files/0x0008000000022aad-7.dat	UPX
behavioral2/memory/4128-1790-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0006000000023077-2.dat	upx
behavioral2/files/0x0008000000022aad-7.dat	upx
behavioral2/memory/4128-1790-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe

C:\Users\Admin\AppData\Local\Temp\e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe
"C:\Users\Admin\AppData\Local\Temp\e8ffe086ed07a860aabd15caaf27c200271f1060f666ba22b47312fc18d7a12a.exe"
1⤵
- Drops file in Program Files directory
PID:4128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

Filesize
81KB

MD5
9f5b54fecbf1e0b8236fc922aac855b6

SHA1
e1ca89f855f7cff580f36ccbf1bfca29ada973d0

SHA256
1f694541a9f38948046a2d5babbf3969b40e2323b90b23a550e528579deb41d7

SHA512
65a12fa1780f40352cce81a4432acb43d798c19a7208fbbbcb16892b7df6bdc3e3b5c1dc0963c0c8425486902e349a3c53f5779f380606c77addafb72c02f05d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
180KB

MD5
f77956fc3f242caad7a5571d9d391368

SHA1
d57e7b144415d4c5cad18cc2e10fb46e328370fe

SHA256
53d4929e8714badef4afc614aea2789012b4413fff67b421a331bbdbda6c2ce6

SHA512
e1b3d0653eca63782b87aa085daf0c08e131e37262d5e220d0d1b14909a0b3332357dd097adc26a9a205af6cd1b0100c58d5d827c371c905b0a936d5293c5a4f

Download Submit
memory/4128-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4128-1790-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download