169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
Size

184KB
MD5

58dfcd37869ab90e69bbd8c5344549d3
SHA1

d2f7b261313f2af56bc76d21ca347eb7755f8ac4
SHA256

169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e
SHA512

e4c0501c196ca52d7c0ebc78b2700ab0352069077b8ff8c1b2411b35d7cb6d2076f0a7e32c95697b8ce874143b0f15f6cc6e0d20546d9618205dec454eb9e50f
SSDEEP

3072:htEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPW:fEyyj2yAIJbIjNDv0bNXkbvLiPW

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4071) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/512-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000c000000023b6f-2.dat	upx
behavioral2/files/0x001400000002291d-6.dat	upx
behavioral2/memory/512-653-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe

C:\Users\Admin\AppData\Local\Temp\169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe
"C:\Users\Admin\AppData\Local\Temp\169a76fb11ecdb944ddc495bb8cf80992d57c7a920ba932a337fdb302e95671e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
185KB

MD5
227bf9533c258abea7291f04603e6eec

SHA1
fa4eb6832988b5f6a1d0bfac4ea3d223c5dfddc7

SHA256
6e5b2c974845f8024c15fee2dc6aadc018a9fc3e206ef422a42a7fe5ec805877

SHA512
47f176a8709dfaafc0fd68b3e3f8be10ae6e60e73cdf6a015464fcbec156f556a576f574b0886b2f9c6ec334db4b8cad9b90c26f74079c68ea41954ed8f1cc52

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
283KB

MD5
99d0ed26be24aa675a78a54773c2794b

SHA1
b6af9b62ab189240e51d968e5e8b3b45e7c24299

SHA256
f8554bb6630bac17bb7b9c3b683ad0741c0eb04c5bf5014c4d866fb537f64efb

SHA512
4e8f28319f64fd1bee012bc7b9891156c71e0461b46435719808da87569bbb17b81ef2b3d1fd733a54ff7742bcbf8573e05b1a1704db06b6e0f9eae2c187a719

Download Submit
memory/512-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/512-653-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download