7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
Size

603KB
MD5

e99bc0167ed07e24a15710eefba736c5
SHA1

439298dbb7920aefd5b09fb80a532dfb70910955
SHA256

7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea
SHA512

7990036f437867473cd0391f2083e48ff73476bed852edc4d2bb1421e78df5dbbc6186165097c5af4d296b95b0da0f2825e7bc49741ff071198c2967935855ca
SSDEEP

6144:KbESQvE6g9tTDVYbESQvE6g9tTDV8bESQvE6g9tTDVYbESQvE6g9tTDVN:dE7EXE7Ed

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2234) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2884-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b3a-2.dat	upx
behavioral2/files/0x0004000000022916-6.dat	upx
behavioral2/memory/2884-426-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Crashpad\metadata.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe

C:\Users\Admin\AppData\Local\Temp\7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe
"C:\Users\Admin\AppData\Local\Temp\7353817ef39a72b8fb6e8834186e10fb32b64850ddb4802f30e142cc2a5461ea.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

Filesize
603KB

MD5
08686c2f98bbdeadc50ded70d9a5be84

SHA1
19436f7f458f6efae5f9a9ff9a90f112ba542994

SHA256
d227d58fc820cab5b94b3dbaa6ef10655024bd6f24b2fd067341805d4796f3de

SHA512
bd7f77adfa3325bc6b69e193407bae08edea39e1d5cc12619aa65b32099c8409c29413db1cf3f6283a28e7baf4e564955bc2c1625fe2be5ba104c63417917b17

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
702KB

MD5
cb3cdfcc6c2c7833936c6341aa112e00

SHA1
39203078e434e4532bc9bd5019d9f0fa9e9a57ca

SHA256
5b6b42748e2690241f592478961c0cb6aee1bb09f43dc5cdb9c7e30b3a768805

SHA512
89ee9881d378032f7465286b8178d0491d8a0bf25f937bef5cc06bb1ae3eb0f06097331a94b18a784b4e5e25a8c2b1334615389204fc449992e92b878165907c

Download Submit
memory/2884-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2884-426-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download