Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-acwlas1grf
Target 88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378
SHA256 88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378

Threat Level: Likely malicious

The file 88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3455) files with added filename extension

Renames multiple (4676) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:04

Reported

2024-11-14 00:07

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe"

Signatures

Renames multiple (4676) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe

"C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/5036-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 18914c2ffa391fd02d4e7ca87a939b6c
SHA1 0c2a874da2f51e8deb2181f1b52f9c4c15edd7f7
SHA256 8586c8593dbe3901d485fc5c39d594c712025e5cb052c0356f61b0c0da8ed3e4
SHA512 fbb1f28b4d7964da96aca8c7e8e32196aaa7165129576f8ca544f07f2eba16443b53a5322b28fa08ca13ed7fb2d88d94ee3dfef1227d9286a4d9bb95e63e887d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a2ccd3be2eac913e7fe8c9385cadd2e8
SHA1 3012c766146e65d971ff6aa17b8d17584b4da7c2
SHA256 f6ed1d27155b2cfc1e6c77b47cb73241bdd6932fa4fb82e6c9cf5a94dbe08e74
SHA512 49172baf982add7da98383d4225355d5a0dfb888833a40bc7eaf2e7d438bff01439dbf2e506d98b964e5b65434fbcc219cc7203062d1b2ece73e6890648b6e56

memory/5036-654-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:04

Reported

2024-11-14 00:07

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe"

Signatures

Renames multiple (3455) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Oral.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Perth.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Mail\es-ES\msoeres.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Defender\MpOAV.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Mail\oeimport.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Journal\Templates\Genko_1.jtp.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Windows Journal\NBDoc.DLL.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe

"C:\Users\Admin\AppData\Local\Temp\88cc42dbb0b168f3aa53819cad266aaf6f167d66d37fdb41ccbb5c5ab27d1378.exe"

Network

N/A

Files

memory/2532-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

MD5 a86ecf2f0564dcb5f3013cecdd81a289
SHA1 2587cd029a2101f64211d89bca8c995b085afb42
SHA256 73191d6307450bff7e8caf363076dc4b9b9c038fd1008343fbe2ad9cd562094b
SHA512 d49b8ac7f165345246bf579e648ef09d6f91a1c4fd09a39daff489dea8a6efab24489fc5f5061a3d26cc74e3f27368c38e72b34bd0f10e907fa1a76591392f7c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 8bc45f1accbb7345abe33b09a6ebde48
SHA1 f00453e197140d50dd0bc25576521fca4f287961
SHA256 ff27c8a722a8399da4d0365a4ffbdbac37336459f747fa67990127deb685cdce
SHA512 42e89093a9e3e973356dd36400c070e9d086b55dadad6a60b61a78487b3d5d662702a67fbe2ff32e05bf375c559c0d7836a4dcac0117ee7010c7fb8ba4219041

memory/2532-62-0x0000000000400000-0x000000000040B000-memory.dmp