c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
Size

282KB
MD5

24e967e8948317a18132b9698fb1b9f0
SHA1

d037a9cffcba363b758ddc571ef8d8ea94d88d27
SHA256

c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7
SHA512

c0b3f0f4197bb2d69b979d1a886a17d26215e5d995c41f46a361956d4450c8d4453e365d50465c33bbe610fe89294796db9c7ec8d135fd29633dc150322debd2
SSDEEP

6144:KbEyyj2yAIJAEyyj2yAIJDyIjNDv0bNXkbvLl:WyAU8yAUDyIZGNXkbvLl

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3831) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4356-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023ba4-2.dat	upx
behavioral2/files/0x00040000000228f5-6.dat	upx
behavioral2/memory/4356-652-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe

C:\Users\Admin\AppData\Local\Temp\c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe
"C:\Users\Admin\AppData\Local\Temp\c98e55830bface0e13ef7b1ba5f2e655d61c714f49a65441ffd0ff15b655e2b7N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

Filesize
283KB

MD5
2eab453beccd9fa882cb65d9de9ee81f

SHA1
28cdf6ea16cdffa71c4b3431d3ce55fb20c828c4

SHA256
610315ca1ce5aa4cf2706021cf9129f47fe5e0e04bbd9a7d727915577d8796bc

SHA512
3430fb08abd57d580a97acf79c74fb5e8f330a9286a4b1543f3c58a84292d5c24d3c4e4fd7e1bc4f93387bfcb10d8d7ff23e403d9317e5c38b855febda4a3837

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
381KB

MD5
a610bacf8215e2a463f01f03242064b7

SHA1
78ffe590a944a519786427c9abde6f68325b83a1

SHA256
7fd40a5ef59b6c9db9cbde4f230edc96a4fb76fb2b2ea674ae6f198872812539

SHA512
c7387e1f0b27a37b2ab7592991d5bd28c80ddf7a71c4021e4a59f4a032180bab4d2a797d4965a4b202be105b331a35e5c5e57f01688988c9bbd6cf7a2c0cf022

Download Submit
memory/4356-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4356-652-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download