Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-fdvnaaxejl
Target daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN
SHA256 daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347a
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347a

Threat Level: Likely malicious

The file daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4461) files with added filename extension

Renames multiple (320) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:45

Reported

2024-10-16 04:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe"

Signatures

Renames multiple (4461) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe

"C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1296-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 6f2094eed212118e4a3981c48d1e508a
SHA1 c5df59e14dae8da229d7ff573f8465028f12acf7
SHA256 6dfce002a19a21d5d78f684b3f65bf5d86d62d300adb9047eb6145d7ddcc693c
SHA512 b68e25050101adc36d1574e180caa491fcded3d0178e2eac1585cd45a37a6c125453a40e52616609714b4e423f3ca1d8f591954b4b776d0eeaaec9198ec193c5

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 5c9d9cf16e9664add0c7375a773f864a
SHA1 368ba1b62197c7d2a52b45ec2191e66caec8684e
SHA256 822a2fb67956ffbabf8865c8de2072478c5b4dad03a3180dad834dcda336070e
SHA512 e2daf776ea4efb2e6d2f6b98e699660ea12e147ffcb6aad359607291e952c9d5e647aef62823c2da798990d0cda856c903b39de50b3abd40fc4ace64fdaef52c

memory/1296-676-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:45

Reported

2024-10-16 04:47

Platform

win7-20241010-en

Max time kernel

119s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe"

Signatures

Renames multiple (320) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe

"C:\Users\Admin\AppData\Local\Temp\daa4cd42c55d73b503b0ab02f88994e087aa0d5e39e3e03ff11c75553a8d347aN.exe"

Network

N/A

Files

memory/2272-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 357f8a39d7f0eed6648c7f02cddb9717
SHA1 5e3dc4be2a9acbf00581aed3fb85f4746146c9ba
SHA256 a893f0d392d4bee76a90cbb0eecf8e1835709a3bfc3f95fd5fdf9539dabbcc6c
SHA512 991537838e4b767b7f9b9b6771681000119d18ed243fbf5d59f332692a09887947f308160d2d195924b23ae77ba5d81431219bad545dcd529b64a65a49a178a4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f72c44dad3001856932b277a8d8c34cf
SHA1 4a27940d8c86a437642882a62d268cb343412bad
SHA256 22ce19e6c71e19f5fb4fd4007737e2ee2ee6a202931080ed20d5e861aa96d331
SHA512 f1fce13283bb945c2330f180bbe23f9b2bd257757843d56bd52540c8812a6b415bf76370cd6dcb07877ab9d7ab36bade7f5c822222818ac43d2271e90a3896dc

memory/2272-26-0x0000000000400000-0x000000000040B000-memory.dmp