Malware Analysis Report

2025-01-22 19:58

Sample ID 241016-xydnyaxcld
Target fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN
SHA256 fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58ba
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58ba

Threat Level: Likely malicious

The file fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (5030) files with added filename extension

Renames multiple (3773) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:15

Reported

2024-10-16 19:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe"

Signatures

Renames multiple (5030) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe

"C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2536-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 70be852c23f4267f336951231f5e8f61
SHA1 da7fa2104a060022e310b276debc552aaec51df1
SHA256 afecdc8daf55d019ebd34bccd64b07434288d38769b00993af633fbd0f276962
SHA512 af7a9ce39688c5afc6bc07a265b94e7f2e2b0feabc45b03f4e37519c5d365b8028b9c6495473c09b83c172df47acd5746515c3b2d713712860e3d335613d23f3

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c4291aeb8270d35bfec183e4dfd73fb1
SHA1 4b51b3ddb19db3a2bfc11e74c506884af435c5a8
SHA256 af7ae917e5e3588459300cf42d13601a73a6f186072faeca78a83a6717930dee
SHA512 d375213013c03b165f81969703197985f1c53f3e773bfd91c948ba8c845512f26a1315cce670ff45a8a13b4d72422f5927cdcefcc46673c4ac93df9226c929cb

memory/2536-788-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:15

Reported

2024-10-16 19:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe"

Signatures

Renames multiple (3773) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Journal\jnwdui.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Mozilla Firefox\locale.ini.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Boise.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe

"C:\Users\Admin\AppData\Local\Temp\fa9f5c38fc05b57dd4a9220633b4a1301bbd8025c36dd41f2241934420cb58baN.exe"

Network

N/A

Files

memory/2492-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 1fb9f126918c781e339847d49cfa6c0f
SHA1 16d28fb8e81d6807f1bf7ff65d99cd05d753c5c4
SHA256 2a8c132762944bb1f3a6e284de38d44aaad5bf413a9f3c03f358c4aa2f5f0cab
SHA512 91bb00112620e1c7785fbf4d079e336d5a435760d7bb7b9b609a771ed8ab134e68bda005a3f777e0657071bde989a78f00b752f510259248c2c6e98248166ed6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e55ac337050702c5689b18dc4c2fd593
SHA1 b9b1969ca4df5410f7aca15cdf80da4460d0dca4
SHA256 e9c4ea44c0a70df35179c6f058083b44d1f00f96b1c95637a8c75e6b82b4ae75
SHA512 4d323afc3ff63d351a1d3b1762d37d8cf2dc22821825870b429fff10e7ebfe07ff2b9fd917258fe3e8010c1b514a4f8c0d478971d234422ded03a107f4c0a30a

memory/2492-75-0x0000000000400000-0x000000000040A000-memory.dmp