Malware Analysis Report

2025-01-03 08:26

Sample ID 240617-dkhwyswajq
Target dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5
SHA256 dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5
Tags
ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5

Threat Level: Known bad

The file dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5 was found to be: Known bad.

Malicious Activity Summary

ransomware upx

UPX dump on OEP (original entry point)

Renames multiple (2916) files with added filename extension

Renames multiple (1222) files with added filename extension

UPX dump on OEP (original entry point)

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:03

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:03

Reported

2024-06-17 03:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe"

Signatures

Renames multiple (1222) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\CompareApprove.asx.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe

"C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=808 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/2116-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

MD5 25fc947d7c7a58577df035112c3712a2
SHA1 100624704b2b307dfa6251eda1740cd0c5e44d76
SHA256 1695cf19992512aff33bb39b8e0e3950feebd1ba4a3c62fc748d115e35608ab8
SHA512 e343ece75620914bf24e7443e99871a1e940b1795af67d5efd43fabf8bb05b32df310bacf42cbff4760d11bb16f75eb512da06f6c3743fbf7aaabdae9e8b0a56

C:\libsmartscreen.dll.tmp

MD5 2ccdea066793dbf8669b22bbfdc0545f
SHA1 457bc1b5856ade1fb040d470ed479dc99eeeda77
SHA256 d06b54f8ed173c945f9a72fffca024e77c587b36f868967de2b1c4ef6ce9e1df
SHA512 79d53061a883d9d98a847449f980257f0bbd8eee0f9322a8f792494e8556a38572cbb0f5b90793e44d8721791ab3992fc124c176ef25c4b91e21fa9bc76c8187

memory/2116-420-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:03

Reported

2024-06-17 03:06

Platform

win7-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe"

Signatures

Renames multiple (2916) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\Parity.fx.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\VideoLAN\VLC\libvlccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sitka.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe

"C:\Users\Admin\AppData\Local\Temp\dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5.exe"

Network

N/A

Files

memory/2460-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.tmp

MD5 1befed89424c5610aa177577c43aabe7
SHA1 fe957d19d94bff5b8fbfb1a91ea2547a10e109bd
SHA256 94d5ebf29ff6a8f0b951efa20fb37c868836c3791bd67d1ea1e094eaca2da46a
SHA512 12c9746e3760c7393b7e0fba0e12381054dec79b7f8f3acc2b59ae34dc531fded08ce7ede6a68b89ad23fa056d27ae1b58707dc1c8b0faa13e8fec658a190a86

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 6d24f373f5842e30421267bfcc602528
SHA1 b034fbffecfde6b7b2cfb3709fb6069d4ef987a6
SHA256 ac199e53641ada8de2bb9a7e5b5e4cb644f5bda533c4bded2ce1d951ec1ac851
SHA512 c303ef511909f435dd8d465fa28f6e5c5a576724de5e3c230e8c8cc1b414eee950f010ef228a9e7d84a6322746c6677764121c16f344a69cbf8220f03d215982

memory/2460-214-0x0000000000400000-0x000000000040B000-memory.dmp