8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
Size

209KB
MD5

4088c7c7dc7c8f0ba5497ceb9cabd690
SHA1

79ee0a4d36b3714bba4a57ae6d3e9cbe3f0dd9d5
SHA256

8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567
SHA512

dd45562a04b8832fb2146e9bef56894c1632069f9f7006900939a5d335c52c7bbea205a70845baac099a96fd34ef52ef9d6ad4dbd038bcc0815f2589b95f74fb
SSDEEP

3072:fny1tEyyj2yAeCgjJQWHIjN3tj6qnv0b2UrXkbvLiPB:KbEyyj2yAIJbIjNDv0bNXkbvLiPB

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5032-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b4d-2.dat	upx
behavioral2/files/0x00140000000228fc-6.dat	upx
behavioral2/memory/5032-640-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe

C:\Users\Admin\AppData\Local\Temp\8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe
"C:\Users\Admin\AppData\Local\Temp\8ecdc1a98eeb8a07b6b1ab22c08d8f360b2c3dd141ecf9f8b781660a3c017567N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

Filesize
210KB

MD5
cad219ba2dd1aadaca43df797ba86a74

SHA1
15ba7162dcb0e4bde06fb5396316e0fec4563d5b

SHA256
73b7a7f7b19502a71e62064cfc5b41dcda69bf99816f96e77be944abf1da03c7

SHA512
e3a956916075409940a32802b8250ffb673cf57d7888aaf073e646bdc611d74cd8169b83725b6923c545d9109d95ca2e37cfe5269e12177f43425f9aef153140

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
308KB

MD5
a8cb174dfe560a49bad3f6996ef7674b

SHA1
dbae5970d470b7fac92b513d7ab776eca2d34e76

SHA256
4205c1cc854e41961068139ccc725c483b7beed4fe1e718ab9d5e876ca984d43

SHA512
83795bb4d336ad0eee7886becb88dac61fe382e62ccafab0f1f7b80c409f593a6fdcfcad53382d9462a3ca43e49e8b1f3e5fb77569016d30113ab38dec47a52e

Download Submit
memory/5032-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5032-640-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download