Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-dbdkwavclg
Target b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N
SHA256 b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735

Threat Level: Likely malicious

The file b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4380) files with added filename extension

Renames multiple (3208) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:49

Reported

2024-10-20 02:51

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe"

Signatures

Renames multiple (4380) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe

"C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1316-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 d94ae92ff80139dade914ec3082d9b6a
SHA1 5b6680b3c0272dc8e46b96235ef0340330de0b50
SHA256 9455a7cb3611d3ebfc8a6918bd0bdcb70129dd8ea4b94c03ccfab9de1b3813eb
SHA512 383fa6016049bbafbfd8b2a575ecdccf92dfc80c9749f4c9e8230a1395f592bc7dfc11dcbba75ea74c7b73499bab9d1234576297ae7a0c8a26b964a9a9a6d329

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4ed26ee0cb70f7f793e4a36d448c19d9
SHA1 7681b5134a165c53ca49f5145bd9d7de1c29ee7e
SHA256 9cd412dbbbb0e34af846a0f82c84cfbd58426157af8a3900a028bb947277ed3d
SHA512 f68f7a3c36a41093d1c20b3fdf5efdaa2643c7de4fc6e19c612528559d027441103761ab26126e0f9ed999dd787f63783ce2126efaebd623bec54aa24022f86c

memory/1316-728-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:49

Reported

2024-10-20 02:51

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe"

Signatures

Renames multiple (3208) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe

"C:\Users\Admin\AppData\Local\Temp\b848a0f6bccb12ca632cb96012ed0c4d1b0730d6c9bd33d29a0ffc2ddd549735N.exe"

Network

N/A

Files

memory/2692-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 4059c90394b41eb59bfc5bce102fe4b2
SHA1 c25ed37f1b2740721c6ffb78521ce81441778d92
SHA256 f35f94a843c7bdd4f75c0f9b446db512875fd9f87353944898107edbc2f82ae5
SHA512 964055ee31c1d697295901c1e7194711d2dcee616484079610fadd79a2eae2ff58316c3f9b550b014db91dc9c67c8ad67a28636a2338eab23966a305cef4529f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3b23809db7711e05f51900fdd7a98c3b
SHA1 e44aec25aee2b89bd8064d400bf9dbf08b604d12
SHA256 6d19ced14871b5828e7d41f9d7f385805a703f1c9e62e35772f62e9c890b223f
SHA512 94858bd2919a634487bb2199cb34d21b1aa859111acb395d706d2aa25a054c37049a5adcce1795107f5da5b0e1b32e57d4b26239f08414b2b40e729048c1d891

memory/2692-70-0x0000000000400000-0x000000000040B000-memory.dmp