Malware Analysis Report

2025-03-15 08:14

Sample ID 241016-fsyngstfrg
Target c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a
SHA256 c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a

Threat Level: Likely malicious

The file c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3460) files with added filename extension

Renames multiple (4837) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:08

Reported

2024-10-16 05:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Signatures

Renames multiple (3460) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Mozilla Firefox\libEGL.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Journal\Templates\Music.jtp.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Network

N/A

Files

memory/2628-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 bf9cb24911e10613dc521af03e017f22
SHA1 0c1bc6e51dca2a26c4670e7c09e07a60d8b74429
SHA256 f20d0ce0c2da3861be4d3006574fabfa6b0206d93475059c7cfee8774be83e7a
SHA512 5486d25fa76ee239cc29710f916c6225c3802e12ef33987f47c9e9ead83fa57a4827a6e1479338c1c58649f418219ad31fecacc3fe442e2e74be4d107fabe90a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f730d2bb4122f49e0728c020327732e8
SHA1 4e4027fc5329cabb3b0749b35cbadde874075129
SHA256 f1177af18fb436a872744f52280c08d34755e64b0e8c240115a5e38e7edfc10b
SHA512 6a4285735fbc49b836ba564f8ca969032f0fd95e0558b0b765bc5f75b1f235397c3dd459ac71e31095755fcdbea2ba1a6b6bc408726d2e8a553e49ec55ebdc9e

memory/2628-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:08

Reported

2024-10-16 05:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Signatures

Renames multiple (4837) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/2396-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 f4a5df292c567e464c6b62e3c23e5722
SHA1 d880dc165b975565a64af1b3f21db742aa077f72
SHA256 1dc82f420ed2a5dc6ea4217b3f2efcb789aa881f7a85e4e288941334ffd7b44d
SHA512 46956f72e79c69a78a5c21283525eeda0f7d86949604553459d3a93276f0292a266e058978d71e3fb504dce8ea5b80df51cbdf045555da635532ab1bfcea93eb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9a3983c284e9fa05aee99902edf423b2
SHA1 ed519e5ee8520994661f5f7e377c5fc2313185c2
SHA256 79c3a262cb1a28f6fa31d149cb41af367ac3d53df26145cce884702a115399ed
SHA512 7cad00e4787936d84e5e280dfdfdc8afa8602ac42c49de048596dac922b2a005d8e532c933e22c3b80ac9a31793be37b6f4b225765c0a09171b7c09a6a7f2051

memory/2396-662-0x0000000000400000-0x000000000040B000-memory.dmp