e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
Size

81KB
MD5

2415721f1d3e5f940aa1df2f51f8a372
SHA1

8f095b2aac2beb62eb23d425179f861708b8c9ca
SHA256

e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe
SHA512

32ec82f6d00b9df27e1c1e1401c71ee95d4e1a04bde13859a8c615cbcd90191dc1416c48d9b93bd37c3f991451bfb4a671bd149b1b8dace8472914c8833f5610
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9+F/MF/iBT37CPKKdJJ1j:V7Zf/FAxTWoJJ7Ty2ATW7JJ7Ty29

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5037) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4412-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233db-2.dat	upx
behavioral2/files/0x0014000000022913-6.dat	upx
behavioral2/memory/4412-858-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe

C:\Users\Admin\AppData\Local\Temp\e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe
"C:\Users\Admin\AppData\Local\Temp\e7bd453d4a42d2c5ecdf5d7f7b997e7c84a50f83bd521e70a41a413b29c4bcbe.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
81KB

MD5
6ba340bdbed15331795cc77946036e00

SHA1
17d12c7ab2fd49d61eb4e7ce993aaacddeb9d126

SHA256
c2fd24fb6092a6683a3089eba165862502c3b8d7265498c334cd356120581331

SHA512
03d97dc2dd35115588fedb7e4d4df40915bee6f3ed078527ebe299944c298a805be9d80bd41d60b3381992037daf32545ccc1e8c290c48f346e300ae8948be6b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
2dbbe1659ccd7cdefa0f9fdb0f9f3739

SHA1
efda4493b4aa30a847c0f40a17e757c3fda83c25

SHA256
cee86961a3aff12381b065d5e4d649092e2a943380800a6f18705b00e666c95e

SHA512
47a824a9446d60c7c4ed3c2c9329f42aed13eb6e9d5d50b6821948b9813e5f42bf14e3a01d27e71595aaf84101fdde95d4568097c42f40c949d181185d70b3c3

Download Submit
memory/4412-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4412-858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download