0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ff

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
Size

206KB
MD5

557b7a67ee33cf645e31f5b61314aaa0
SHA1

2a384a7efc763aa4290e229376bd0be7d46307a7
SHA256

0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ff
SHA512

0c4198a68c23648faa0e59d905790913c428f294ffe6c74683da7434383e9f930e7df8f9d81b83c607c84c0abb90fceef7b462432aa4ab526f983bf64c79539c
SSDEEP

3072:fny1tEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPK:KbEyyj2yAIJbIjNDv0bNXkbvLiPK

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4088) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b2e-2.dat	upx
behavioral2/files/0x00040000000228f5-6.dat	upx
behavioral2/memory/5068-652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe

C:\Users\Admin\AppData\Local\Temp\0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe
"C:\Users\Admin\AppData\Local\Temp\0d65d1926d70c09131e22ddd8e12ff35453893452d803870f68c28302f6b72ffN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

Filesize
206KB

MD5
e7b0482faa4a352d280307821438cdfc

SHA1
9e1656d6c58c1b9eb31d1922f070ebf0d99196b5

SHA256
71b5074f1a1065f6ef30f626d39dee8459adbf090c039aab0eb7cf745201dc88

SHA512
b338417b144a076e207dc87c7d4baec4fb74f49e2acb406e7c190a6ab462790423f572aeeab140a73b25bab9d0e7d53b4691ccaed5072655d75833b7cb2c121b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
305KB

MD5
fb209e24b7028dd219952f384f37e659

SHA1
679ad68593e7708250aab2ba960d7a687feb9de6

SHA256
4bdc8e2295eaeedeed51257d146f10af128f1d4ccfdf53e2186498113c7cd03f

SHA512
2caf35d731fce451be9b1dafecc2430be2aa3294da361ef264943e2618b7ab5d4e5583f4ad46d63877f9459e41d3d7390e048d18673508afb965f454669679a0

Download Submit
memory/5068-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5068-652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download