2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
Size

86KB
MD5

8f5c8015db87c61f0d6a17ae0fe3b08a
SHA1

0902002c9fde58529304d0b84d30c59331d40e87
SHA256

2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b
SHA512

d9632595d6e972a1bb3c1985a22c9c20acb403b12bc64900c7bddf8271c046c9b17ba326060c8dac153af80507bed33d0cab9217f1a36682f0ef00e8d47fd04b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/ti3c7Fc7NH:V7Zf/FAxTWoJJ7TTQoQmoNC4CTPeP1

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023bb1-2.dat	upx
behavioral2/files/0x0004000000022916-6.dat	upx
behavioral2/memory/4816-684-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe

C:\Users\Admin\AppData\Local\Temp\2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3c9ffd1b5018f5f4fa28dd67aeefb3b0bd4e921abbb3757b9976e1f5dfb5b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

Filesize
86KB

MD5
7a12fbb14b2eb1e22622dfffca803871

SHA1
c05aa0f15ef33748b908e6cd7ce8f2a10a872c17

SHA256
3cec2b3112dca6831ceab7c948c93daf4592eb763bd3d6e6c528443b1c7a582c

SHA512
5c83492168ea9fb1770db649e37680baed31862588e28b534459870e2245543193fc270a7474f36f21586250a9f680f98916da7ec14ee39776b7ae8c73d52b04

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
43848c930cd8a2f0795a2fa02d7c5c73

SHA1
55e83c0fb2c80494ef1ee81dac7f91324585cf00

SHA256
a5e46989439abf11d9fc3712a680b3bc65b0c3d8700d4a4f4f9e07590f7db86a

SHA512
259323a610ad11a4692c5e3c261fb68af230752ff75b3044b157172838e460e336f4ef9af4ab5917047d33c0d4e7496a9f9e8ea349307d47ff5dbb2d7eb83edd

Download Submit
memory/4816-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4816-684-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download