18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
Size

209KB
MD5

92bd269cc41e1ab20db38a0628d5ff14
SHA1

863b16ba4e97373fb691d15ac18b48bf3a6fe634
SHA256

18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00
SHA512

bf3abb5f30b9bd2d4cb31aa1835d3c93606d79634b4c4af324e727b9e91c7df53ad6a74422e3f4444b80097d2ffdd5cf1c9fc24b1e3e83c738bb2555fc1bf0c4
SSDEEP

3072:fny1tEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPI:KbEyyj2yAIJbIjNDv0bNXkbvLiPI

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b1f-2.dat	upx
behavioral2/files/0x00040000000228fe-6.dat	upx
behavioral2/memory/3532-648-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe

C:\Users\Admin\AppData\Local\Temp\18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe
"C:\Users\Admin\AppData\Local\Temp\18f1e5daba95fc4fec6575a47a18ec4d09cf1c0b2a8ee8ef68231b582e54ca00.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

Filesize
210KB

MD5
0f6ddbc8b619dccd67ebe57855439c43

SHA1
612052ac211c565695a82c684b85619f70b222a9

SHA256
06a7de78503069437798e91fa017ac1749c3da800ee61c24a9b1dc3c12a3833d

SHA512
2bfc7425b70fa55cb86f41ff753a5dbd57ce38e7f692314e1dd893134c91511c5ab9577cb0548d852dc6d4f5b15fdd7c2303afba2a46ee7db095a11490f93144

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
308KB

MD5
dbd43dfd8a9c0b55f282d8472323c49d

SHA1
1300c63b0eb42255d9988a30936ac418b6881a3c

SHA256
dfff293eccc1959b37fe50c851142e51ce3e8df7c4a448ee1d58d15afe09b04f

SHA512
701fff17c8c41ad784859475c5b7d346ef3ffbf2f4153ee36921390d199341eacfa4c9e6715308679098c6609f7558dad837e3aa0d91182842f42ad34aa1a085

Download Submit
memory/3532-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3532-648-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download