80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fad

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
Size

386KB
MD5

1ffb52b63f07303ebc22658e046f4ad0
SHA1

c94a762051b089d87314c5ada5bf6717c6504dee
SHA256

80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fad
SHA512

a9fe5fb486712f5d5b09974b919ac68dd6f7998b5964f75ea1379a80ba7ecc25f3db98965756da0fca75fc97d74108d1149826c1efc9d5685ac10c05cc60714f
SSDEEP

6144:KbEyyj2yAIJbIjNDv0bNXkbvLiPpEyyj2yAIJbIjNDv0bNXkbvLiPx:WyAUbIZGNXkbvLcyAUbIZGNXkbvLO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000a000000023c8f-2.dat	upx
behavioral2/files/0x00140000000228fc-6.dat	upx
behavioral2/memory/3024-478-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe

C:\Users\Admin\AppData\Local\Temp\80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe
"C:\Users\Admin\AppData\Local\Temp\80132bc08887deeb2dc138241236d8e327e8c904b61f87013bbcae19b66a0fadN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

Filesize
386KB

MD5
bd4f2a4da1efb6ca24fc6ec31ec5debd

SHA1
48455cd3f128cc80807a893fdc5bdbe504329f9f

SHA256
623bfe36b3a518fded0edf11724ee9e5b9cf2301475dba35d05403695dbaa23d

SHA512
572d928ba070cab9b72962826a70f49eced202687f61d0aed74c4fb20e44693f8643739a7e328a0d6102553619e8441b64e87d664cb6c40306a64344bbfe1330

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
485KB

MD5
3968929e1426acb58c8bcfdd8050b9c8

SHA1
51b33cdc3eec651834e74b94c46ff747274d19c9

SHA256
9256f9e54a8b5a39f4b3114cdc8802729c90eb37a17936b5939a6c222562d9f4

SHA512
47bd72975018215f875a311344404287cdfbfcb98eca9e3ac7ac5bc8f7d885eba645b9a2628d7d6b7c5e23c4b306564d5a1c315d2d07c536e0657f0daab56824

Download Submit
memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3024-478-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download