Malware Analysis Report

2025-01-22 20:14

Sample ID 241016-x7867ssall
Target 86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N
SHA256 86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63

Threat Level: Likely malicious

The file 86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3138) files with added filename extension

Renames multiple (4514) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:30

Reported

2024-10-16 19:32

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe"

Signatures

Renames multiple (4514) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe

"C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4060-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 98f6a5085759d9eedc6467acbc1efd81
SHA1 92b2fa5ec9f50fac8769c74e20708d527b24449b
SHA256 64cff3bbf279eafc1d1720674e4d0b3119f9af632868e3bfd641a28e5ca0dbe3
SHA512 adf2dcb53a28da2648c1f098f9fafc35608bebaec8faa52c9996d3ac611a324f5abe1518d146006cf71881a839037a307a8b91c8cc597ee8669441da4b8caf2c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3248cdd36c603c23f86fc79a374f2c17
SHA1 9484d7af510522c76510aae73af05fb90706250a
SHA256 4e69862c485a48f613f8e3cace92151bc8401655899c9411d3a2db2e378e26ff
SHA512 bc97aefc588376e2a0f69c15bc6f9b5b9e13779ce0a6a39ee24ec46c4d6a4083b32695e25a423f3f9b8cf84f0ae78b26d760b536d255e0f542052513043ce3ca

memory/4060-714-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:30

Reported

2024-10-16 19:32

Platform

win7-20240708-en

Max time kernel

119s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe"

Signatures

Renames multiple (3138) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.tmp C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe

"C:\Users\Admin\AppData\Local\Temp\86d53b766fd9e6faf9bc5d2151d1178c0160d486f63a8004d5a2b865f4684c63N.exe"

Network

N/A

Files

memory/824-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 0111d4be6c9825531e411dad580cf42c
SHA1 f4f4d61ffab0134229067e8dc104a9c3a74b333a
SHA256 ac1d46f0eb87abff125e4663d4678cb3f60e9a689d4ff5988a3fb239f6ff7001
SHA512 a18926120ae5b0dbb4384f528a6e5d034f686973ce51dd6bf4f0c611d3c0bcb77db1e91d13ad10a8457234297b0eb1a12606a6355b3b1ea888cc9c481499f19d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 cd2b69afa2e4ccd0f1fe880d6a5764a7
SHA1 5690572bb26cd3e8ae97ee4250442563eb72d833
SHA256 0954cb13ca9042fd67eba51483ad31eac197ebf560b83628f5094cf2d2a4a9b9
SHA512 e1bee426fe7fc4c79f1b6fae66e4fab88660012d551b2a92e1e0fa230e3908598d2354fe6ceed325d0a52541a5cec43d3f86ddd26377ca19d964aa0daac16dc2

memory/824-68-0x0000000000400000-0x000000000040B000-memory.dmp