Malware Analysis Report

2024-12-07 09:57

Sample ID 241114-gfnhesvfjg
Target cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe
SHA256 cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95da
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95da

Threat Level: Likely malicious

The file cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3008) files with added filename extension

Renames multiple (4330) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:44

Reported

2024-11-14 05:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe"

Signatures

Renames multiple (4330) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\ExitOut.mpe.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe

"C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1088-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 74663e4313598cd7c90bd970330bfc3b
SHA1 9d74d38a1b8f97342ed9032731b934e836343d90
SHA256 c4e3af4511de13c299e6549a6c93dcbc4ff37de95aa691987d4a1baedaabe919
SHA512 8ff1ee2318654153a57b84648e58d3b27f97b16c7238c146bb8072bd5e308eb2ddab182a21528709c090e9e1b44ce93b774a2a603c8393ccf984507efbb6d591

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 11d8ec9956d84c9227bade2b382c0731
SHA1 69c2a1850fcccdde099f199a7dcfd16a3ac409e5
SHA256 0b88949943458f21a3e95945918eec48117a542dab05ba67f744d8cc90311b12
SHA512 cc8827612400954656b4e3ad6a47a2b44f3bbe7fae976bd44da0a31e4bdff37a8df9dd804e3c0a58239f1c4fcbe2e30c15ae13142d25fb5e5bd1559ae203b5d3

memory/1088-662-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:44

Reported

2024-11-14 05:47

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe"

Signatures

Renames multiple (3008) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Mozilla Firefox\osclientcerts.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Monterrey.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.tmp C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe

"C:\Users\Admin\AppData\Local\Temp\cac5bdca928fdda83f2711a8bc220bdc7bc8dbba371f3c400e7f29392cba95daN.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 a083e94b4a46f6156e22ce8efda31a0e
SHA1 903d78f87944c93df1bfe782833b4d86172da4c1
SHA256 dcc2d5008c9a67bfe27b88268c5316fdda742269c79eb72866aaeb2e37e3fc4b
SHA512 b2a3480d1f679a4d664b2a5f335b383d8d01e9f05b01d5922f0a89544d79070c9a7e27ac8fad4e0a78ac8821c69762e588ef33bba022ebba1d348a445d20e609

memory/2096-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2907587bb12c1dc4779807c5ce33706f
SHA1 3367098e4cab8645bd465cf818e8e33cf1c7f91c
SHA256 9533662eddeda1803d564f2771539ce77abc80610030e382730f74abe13bf2ea
SHA512 a4910d8145175fcade7e9603c13b586034ab6c2005ceacf9e440d1f2b51bea857368c66f051ccf3b37562926f3c9d996d52b1ec1553ed57855cefeb9c430112f

memory/2096-70-0x0000000000400000-0x000000000040B000-memory.dmp