Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-1h9cfs1gpc
Target 6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN
SHA256 6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17d
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17d

Threat Level: Likely malicious

The file 6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4758) files with added filename extension

Renames multiple (3778) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:40

Reported

2024-10-20 21:42

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe"

Signatures

Renames multiple (4758) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe

"C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/816-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 b0d6fb5905fdf1e2f682636b6fb8cdab
SHA1 080a4d5a93fef22df99bcc189f8af763aa5dc53f
SHA256 27e13c4492ffa37a8b1f6090319eec8c8f9f703ebd6db30e4f94c109f875b8eb
SHA512 037ac1a954e1271a0a0fc866418e1d19af497db701f462a4ebb0d72187dfd6dba313b4b4f4c6f6b393c374922af93be7b66765478f24bbef1cd90f936d870b77

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1a3bafc4d40d07410587323f1cf2f1df
SHA1 1c44d18ff84f1e08816e8a4f28cc60dfae834205
SHA256 f97202b0a0bfc062898577d846945ec1245eb1741d6023face29556998323d7d
SHA512 a57344bdadf4f2293e141f8f77766c810365fa2185296528801190f2c5f0b002cd1b998fd36765fee421b2236c38d84232f3b9fd41d10392791ad91abd165411

memory/816-660-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:40

Reported

2024-10-20 21:42

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe"

Signatures

Renames multiple (3778) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Mail\MSOERES.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Media Player\wmprph.exe.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe

"C:\Users\Admin\AppData\Local\Temp\6dded0f03c0b4852fbf9b8de77e56833ab729f651312c189cad8cc1c1f55f17dN.exe"

Network

N/A

Files

memory/2616-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 555ad6e0c8786d1af60f9caca57610b7
SHA1 948a25fa40aabed65f7fbc593b4420230efaf284
SHA256 10f6bcd7b1c59e4e464d3fee57b8a1afb5fdce468c0ec34c8ec07e24f7a77d35
SHA512 40803b3b893e7bc5543a5683da30dd8eba3d06b644604faec339a937da21a864d90fec6af983ed72066f5f4423702b0e30e8581537e6da2f8f5dd7bd4886654b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ff98b40685253e68b2c38ed8bf6db350
SHA1 5bf44ae5d8b49d10aba52c161c96da32b5689673
SHA256 bcde2fd6829434eb3a32e3342af3c803b3937ab028534de00d0fea1baf042d7c
SHA512 066d97ecb0292e3c1066f0ec477ff347bc1022a825a257b7fb89d07a2ab893667de91b91eaa15154b8eebf87f7c3c8294bdbc1f30aaafcdffad046d713508248

memory/2616-70-0x0000000000400000-0x000000000040A000-memory.dmp