38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
Size

79KB
MD5

98d45e579e4b113f184091f9af7d611d
SHA1

cc3c91706d9be1ebbfff24344841b5b4e37cdce4
SHA256

38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9
SHA512

8b43df502f2693fda471bbf9b3a9591a6869a6683239ba55c8b911956e4dfeab00e87dcd404e3ba863abb836f6418f0d1154b2c46b3c51752abc2755842fc12c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBHfBo8o3PV15RK:V7Zf/FAxTWoJJZENTBHfiP3zHQtMj8/

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4625) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023bba-2.dat	upx
behavioral2/files/0x001400000002292e-6.dat	upx
behavioral2/memory/2400-766-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe

C:\Users\Admin\AppData\Local\Temp\38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe
"C:\Users\Admin\AppData\Local\Temp\38907448cd02156b7cdbbfd1b67025fc1efcc89629d48c362acefc0d725421b9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

Filesize
80KB

MD5
4b2a2d15392d26d91e9c0accc7264665

SHA1
17530fe39e829d36ed3bde75c6a59b39b6c71dee

SHA256
92f500d4ca757c4ad8cf3c58dbafdc170e6cd184779f5f31bd78a6d86705d53a

SHA512
e59721d721891614d3d5b1549163c41d74c69844435ef4c07d223d6e5f00fea2e93b11344067aa780e737cf43ecc0cba79900136de75eeeb87d92481354a2982

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
179KB

MD5
1bf2e9cb9cd435c4019b99a340bb7c4e

SHA1
8a380a3bcd485c624ed04ccc89580c7f04c1c95e

SHA256
9b6ac38d7fdb26a44c55dd7e8598ec798eb46b5ce2c321a5538e9b8f7cce0914

SHA512
71017bc5e3efbb4f41e1e8d6c49394f447dec4271a72ac9eb010251f95eea1e8b8a440b72d10fae7f34b5b291d43735e3b4d79e5ffb6ae73349a9c2bb3cfc82c

Download Submit
memory/2400-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2400-766-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download