2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
Size

184KB
MD5

b19094ecf2beee214772e8e0cdb06f30
SHA1

01118418d59bd3c68e4b6d713cecc7c476dd97d4
SHA256

2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5
SHA512

133c1658f687c200fa85204fcbcf34deea098d70f4c78fd7a5245f676f66ca8540ab498ae765cd118ccca3c4ace138b3a4f765279fefb571584633c3ce97ee78
SSDEEP

3072:htEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPV:fEyyj2yAIJbIjNDv0bNXkbvLiPV

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4076) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2172-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023c94-2.dat	upx
behavioral2/files/0x0014000000022905-6.dat	upx
behavioral2/memory/2172-658-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe

C:\Users\Admin\AppData\Local\Temp\2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d83498539a15085986370491efbce7b0da919a72536a5684ccf6b9d5fc9d5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

Filesize
184KB

MD5
30e5683e7aecfa6211d84360e550c134

SHA1
c433e3a27546c31c09146f32406256f82f769fd3

SHA256
629de08ade0d54eb66a93d5bf24b9ca6464c6f0f6d338a2fda405ecd53502f8b

SHA512
aa4cf7019e5850e82bd9fa1afcb0f2e275adb25250b1116e444a184c0b543838fe0be66128192ed62244c95c54570f85d509b4772e6b1a065ff6be539f53a45f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
283KB

MD5
b272efdb8065fe58e30fe9471c3df051

SHA1
5657a50e69484851d5a2d3e99dd6feed657ef176

SHA256
b00bbc3f7b73cdb938b314b2f7e02805265a3abbd49a13b90b7267e78feb5759

SHA512
c1503d8f5a7e52319945a670b3325c7cbbf9fc9bee459251842f4bb6ae42e6e2e3554e800fd872f62ccb66e84f3f11796f21b3755bb345cd54b5df8c3cccebb8

Download Submit
memory/2172-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-658-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download