b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
Size

1.2MB
MD5

58db060ed58630030937ce930515c2f1
SHA1

38e429a8a15f86267b89ed93db96c4ee56cb1252
SHA256

b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8
SHA512

2ed1460c83654c1dba33183188454da12ae3a9b4804a560505a58857abac1337115db18ea94b559006f0e0b30b9568839ac1bdcad8a7e7a9e90232819cdf01f7
SSDEEP

1536:V7Zf/FAxTWoJJ7TTQoQmoNC4CuTW7JJ7TTQoQmoNC4CoYJ:fny1oRlC4CtoRlC4C5

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1445) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4860-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023c64-2.dat	upx
behavioral2/files/0x0008000000023cbe-6.dat	upx
behavioral2/memory/4860-312-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\BlockPing.nfo.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe

C:\Users\Admin\AppData\Local\Temp\b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe
"C:\Users\Admin\AppData\Local\Temp\b328f44d6eb86e6513f238b514392d4d89978bdba22da7f5eff65e0c5eeb74b8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

Filesize
1.2MB

MD5
38e7036c53b54b1da3a58104bd6f8c73

SHA1
cf6dacac597cab69fd626534106724bed3db89e4

SHA256
27db61589bc8f6b33c06e0051e32225acd8207d3e03e493126a728c1170d5f37

SHA512
2ae654f022731a30158734f613c3ebc839263c571c34f9b742c5587cbf964462c22d6811b796520290771c451d16df686e900eacdf03bd8f5b0c2affc92735e7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
1.3MB

MD5
30a7ff2b549f68fbe605b5ab9f8e59cc

SHA1
3b0603fdec72a94c3fcf2605c0339f192852a06f

SHA256
97f09d79ca8e380ee61969e37ae392a3a95fb34538fda41233be3ac5f2d1b7a8

SHA512
5625ad9ad05a1d4a196440491523c9832590b1db72b28919fea37336014104a87e0172000b206af2221c8a6cea03b1bb56fe4f709e3094428e56f48340031242

Download Submit
memory/4860-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4860-312-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download