Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-x132lswapr
Target 0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N
SHA256 0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486

Threat Level: Likely malicious

The file 0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3207) files with added filename extension

Renames multiple (4328) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:20

Reported

2024-10-19 19:22

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe"

Signatures

Renames multiple (4328) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe

"C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4112-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 0d52230890f2863f289bd527d2b29cc5
SHA1 07b4cc61948e30d139d1acbf86e8f1161af91194
SHA256 eb7678e3123c2754e0d4e88826c6840c3c507e5ed7e2be724df1587fd1a63755
SHA512 905183241b8666dcbf51ad1abf52fceabfebf02ea8a80b999768a1b5cfb1e16f4aaa12f3757b52b7bb69b8a80988ee8e34daec696e13f872ea4d324f4563af5c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 daf3fd861e0e12b453fd2960e4e78faf
SHA1 ee7cbe344aea8f681b6fa22d1c1f09a5a1ec6336
SHA256 8a869b5e6b3da028d16de2133a19eef2194622a94bb5a3ea0d61243a704db413
SHA512 c8fcf4045c79ac86562733d0d7cdb4954ef7003a347d6c4205e0039cce73ad03a17e0752844e2406e2ea90cba2db3311141d258f05154d1f6a188bcaf2c9bce0

memory/4112-658-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:20

Reported

2024-10-19 19:22

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe"

Signatures

Renames multiple (3207) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Mozilla Firefox\mozwer.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\StartExit.ex_.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\DismountSuspend.doc.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Havana.tmp C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe

"C:\Users\Admin\AppData\Local\Temp\0c0e8870bafc851913e7cc9e98cb8fede7b5f49a3c15b75fc315352d95dfc486N.exe"

Network

N/A

Files

memory/3048-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 0d36e9b7be4bba25290c711daa980077
SHA1 99e7bb5670247091465bbb0259f4be9b979a0ecd
SHA256 aacb13723f77deae784332a3d883efbd86244d641c12481fa1d4fcb24a098d73
SHA512 1e709daeb9f1888ae739cc00b704fff8fea8fc617418b60734fb49a058524fc691bfe6102887f9b81126b9c6788c4e62d896ad67b69bd785e17b6370ba09ddd8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f975d47582640a52e40e4190848ec0eb
SHA1 2a5c0cdb494a74134088f0e29cf10666dd2fb542
SHA256 72113776ca07e085f520e983f81b60fa92651b57fba13dbd981544dad1d04a4d
SHA512 d9d1b12255559aa6a74793f772bcaef544ebd8a5a4df0a505db512631222cff491014dbe61d2212c1702d2aa3f585204e0bbc6dfb1f1604737c32295dca7c4cd

memory/3048-75-0x0000000000400000-0x000000000040A000-memory.dmp