Malware Analysis Report

2025-03-15 08:26

Sample ID 241020-ycw4tswfnc
Target 14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N
SHA256 14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0

Threat Level: Likely malicious

The file 14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4625) files with added filename extension

Renames multiple (3127) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:38

Reported

2024-10-20 19:41

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe"

Signatures

Renames multiple (3127) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\SecretST.TTF.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Panama.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Mozilla Firefox\Accessible.tlb.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe

"C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe"

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 5aa9725f01b4320aef2f42b310108fea
SHA1 46710c80837a807f1faf4bb8bbd15fd7d9e3ba58
SHA256 324ef74c6f723c95f4262795677b8e11a565666af275699ac551fab3f83b49fa
SHA512 a999b161df208b778b0e07882aef6bb21e9492bfffd561ce7f03877f2aee3fed92709ee8b5d6e003c0412e43af105124d7dc294ba9d0c8e359413f0a8fed81b1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 c3b613854fb0affde725f1722c6e93a3
SHA1 f23b7dbe71c91b6607bf7925280952f1ad701cd1
SHA256 66a7cbb251ad42c8a9f300fa405f297cfb32471191356d30274f175b18a80b0a
SHA512 9c351af29ff08c267fefd25ef12a73eb3005eca7a529961ad118c985eafe9924d07e9820b796d52b34707d0f80e0c7373ee222c275246f8952fd03168179d802

memory/2372-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:38

Reported

2024-10-20 19:41

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe"

Signatures

Renames multiple (4625) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe

"C:\Users\Admin\AppData\Local\Temp\14fa19c2fbb51af8e65e699be1a6cbc5ba2fd7e7dbd0f7a0f99c16a6644b14d0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1456-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 fe005c9bd6343ba90cdefb2a8f850f4e
SHA1 e8c140b1f55475f8dd3f8ae9985212b879ec9630
SHA256 b2ee37352c63518f47f862bc14d84201387843300d9ac7a6c130a671b5e96ce6
SHA512 deef0699c3452e3f81ed49f5c9e903db3a96a31ffaf8847a17ef678dfaddbd57db9023a5a97242c837eb6146e9ade2742ed5e785075a5d716c3d1ad67c2d311b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a3120bcec0c27d3f508819ac43d04671
SHA1 9510781fc90ae8258514d7d894b68400ea74405b
SHA256 427b698802d09211bb142fbd84d7552f35e369d76151528bf80592e9d40358ba
SHA512 833e90f81240864a5bbb2eb7cb2fa0c8eab96a72e734d158e3d9b7c5fb73fc828f59fdd41c78b54d2c74cc8d9ccd18e7f9b203e0a6074c58e0642542492b0543

memory/1456-698-0x0000000000400000-0x000000000040B000-memory.dmp