Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zp85lascqe
Target f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N
SHA256 f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3

Threat Level: Likely malicious

The file f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3089) files with added filename extension

Renames multiple (4525) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:54

Reported

2024-10-16 20:56

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe"

Signatures

Renames multiple (4525) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe

"C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1544-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 4ead71b8cc89d073008f87c55af03f21
SHA1 04d3b1be30fe7553fab527840af6ea3019e248e0
SHA256 c989200c8b4f00d1ec120ec35cf990182e2c29278fddae46d3a62d9a36559d81
SHA512 4ede5828bf4b70b64b5d7095934738f7cc28657e5e6dc7dbc7065701f513a9fb22099f7f2478849d9ea375b0cf2594145db2d9b0698978fe0d69e67fbf98958b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 d1173134363bca8f48e327ac2bab8232
SHA1 4bc4b5ea22950094ddbba12200a36ec85b4db2a0
SHA256 f5280766665a307d2f485145c703961822bc6143aaf5b1d69dbdefe3c7fa2e45
SHA512 4784d4455a4e2e2f9b30d07d8d56c3c6bdb4d93b595ea51ea3955573813ba374a8d19b4e4435272b8ad2d7f5d92e20715646ff05774701bd40180d9d7f18cdab

memory/1544-664-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:54

Reported

2024-10-16 20:56

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe"

Signatures

Renames multiple (3089) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\README.html.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe

"C:\Users\Admin\AppData\Local\Temp\f9819fa331aa012c14a89074b90997a98cd559c270fedc3be4d85d8a12b1cfc3N.exe"

Network

N/A

Files

memory/2320-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 3c949539fc1fb374929fb9666ba647b4
SHA1 a22a450ae7676de7bf86215afe7d102bc8ac5621
SHA256 94d355c8071f1a5b29c81e859e4c0af98f3b45e1b31083093d5c3260df4e2b0f
SHA512 945e03a860effd8c899c627fa13ae3b141f632efbd728f9e429f40c478a9b15b823aa40ca82baac98462fd47c0fb1e37a4807887709970d18427cbac52cb1a10

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f83370cda0cbeb28763fc555ca496dab
SHA1 e7c945d67b9fc650e47808b86272f2161f529291
SHA256 d7d339a6732ad3a044ebd64c4180462075c3b0217e5e06a32e1f334a53426859
SHA512 e22f2f34c93f2f0c032d9513c4fbf59bfe70b0ccb73779a92743753712503ad97d15ea4346c6cbaac6888869c9a3f65b6ac60eb270e7583e8098c690500098ff

memory/2320-72-0x0000000000400000-0x000000000040B000-memory.dmp