Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-xtny4svepl
Target 1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2
SHA256 1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2

Threat Level: Likely malicious

The file 1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3458) files with added filename extension

Renames multiple (4729) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:08

Reported

2024-10-19 19:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe"

Signatures

Renames multiple (4729) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe

"C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1848-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 11427a055d8c34c7ac3ff401fa48cae4
SHA1 d7db97ed95b3fccac4f2d9608d264eb0e116c2ae
SHA256 fdb8109d52f49e103815a40bac06f168c252a66623108700ff7501a65fe2c713
SHA512 6b68f5e2586bd33d1535364a741d3ed67fd790b712bfbc708b6bbf009f1495ef7d13fb46eeb5ba12b9d1c6a08e29b887e881feeb61cf48b210880e915a767961

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9bceae576305ab281b512ade234eb16e
SHA1 3dbb02425e6216d5d2b9e976b800e2e5decad48f
SHA256 10ad225b0a5814c3ae1f6f80f66748875414a26840f755cb9386cbed1ace1adb
SHA512 c47db6a69120446bf4d6cdf57bbae80d00cf58c45fbae9e569a5ff3c85f57f145683cedbe0760bc6560c10b2bce5d72bbfb89aa9a54db405ec90622bc2521fb0

memory/1848-666-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:08

Reported

2024-10-19 19:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe"

Signatures

Renames multiple (3458) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\libvlccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe

"C:\Users\Admin\AppData\Local\Temp\1f90f4f2a7076d8fadc34f92fb11dfa868d685c26e95d4b259979aab654d2db2.exe"

Network

N/A

Files

memory/2892-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 752904e7567115c2653456809af80a30
SHA1 189a1cc7a08fe1368305f86c40d5f34ab531c88e
SHA256 31c508f6a3e8690df08104ea9377b3a25f1edd171fbddeb603436120f3da4ae3
SHA512 57a48533279ef4a3fd717c0c858efa862aadf05abb87bbe300b760a66dad3b641dd93a0615a455608c773d62322e216e46b78d791dff8900e25fd527d71b1795

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 df3fb89ab4c5cae57f97f6f8aefcb461
SHA1 aefbfedf45d73bb394c0867b97a61bc4ebbc58b4
SHA256 609f8fe3f500f6477498eddbe4d92742a626c08bca1ac5799caa3fc9c3323170
SHA512 2369501c8f7e1b57e5df58f56dfb1a75cdb23ec7f14f7cc2608b2518b9b178d8d17f03ddada58a6b10d9be3ac61c36dd778840c48d85630e84db232ff2dce023

memory/2892-68-0x0000000000400000-0x000000000040B000-memory.dmp