Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-jexqtatfkq
Target faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed
SHA256 faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed

Threat Level: Likely malicious

The file faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3677) files with added filename extension

Renames multiple (5014) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:35

Reported

2024-10-16 07:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe"

Signatures

Renames multiple (5014) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe

"C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1780-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 2c95a478690c9be61c286966e1bf5dcb
SHA1 6faa17eb0f097f97f62772f9e204e4830352a214
SHA256 7963e9510029a38a4dc16d52b0c675a6441599b921a05b9fb0c6ae8f37d546a1
SHA512 cff595b8ae940748b015a44da241d3cc4ed90fbc757507ab114c408d73c77b205d28b9016982640488c01542ab00fda429a9545c0333344da439cd12f40fb9f2

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3d563040a3a397b356030a5006878566
SHA1 b666472bfbb2d8501a3ab00ca1adff6500d308be
SHA256 f99321fd43f4cda5a766b5ece20fdb74ed4f31a8159b264a8d7abab5a681d3cc
SHA512 bca2aaa18f07eff4ff7a634d5d55316770d288848b1273cfc2ac2170bb5fb26e563ca763621706389183b188c6c717c9edaa7020b4a0d64cf624602212938014

memory/1780-781-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:35

Reported

2024-10-16 07:38

Platform

win7-20240708-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe"

Signatures

Renames multiple (3677) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sitka.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe

"C:\Users\Admin\AppData\Local\Temp\faf7d0dbf54c94d46a1fb76240f424b50c1cae9baaa95d3079a663bda1cc63ed.exe"

Network

N/A

Files

memory/2552-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 e0a7fb33a8952f2d977c026d842178bf
SHA1 9592b4be36a0164307bdf0491787b17d93fcc63c
SHA256 8f587ad4f738bccfd99e2e7b2423ece10d037324bb80baf417019db4a126c1f0
SHA512 89a1b94aafea8e33ca74739dfdc1347b505d4a69faefa3c29409b120418a8feaf31d447cb9aafeac9c8a386ace303fe7d5d3308f51fcff503abd91262c6b48e5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e4d8682b999cb0a4eeeba8ff377d3e3a
SHA1 e4668461bade5684d03d7c7135295f737539a3f5
SHA256 b48150ba73fa4e7a9f163058126d0d1e8f80948442a11d011e4ec3a32619528a
SHA512 9df42aba72bce33104a1b5c2bae6869c5a258f5fa1366e0b9e1db26cd20f9bee2c655a386926d97379207f6422f5e7f2b4aef1a370604338b61ce2cb0fdf5f51

memory/2552-75-0x0000000000400000-0x000000000040A000-memory.dmp