Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-h72pssap8z
Target 264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a
SHA256 264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a

Threat Level: Likely malicious

The file 264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5252) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:23

Reported

2025-05-15 07:26

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe"

Signatures

Renames multiple (5252) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe

"C:\Users\Admin\AppData\Local\Temp\264ea0a12ae9fb0c7d47c9aa12f17c138328ae760aaeb85f205791cddd91e53a.exe"

Network

Country Destination Domain Proto
DK 2.19.173.67:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 f7731450c657cafbe470f1e9b0a5b657
SHA1 6162d868d4b76508fae33806612a73341c136a6f
SHA256 b549d5af5fdd56600a2ab16adc00666b04b15213627e26d36550509efed1f655
SHA512 1204c1862bfa788bf2f1531aaf7f7ab515791aeb8ccd0fb40cdeeaed4558af027cc680540452d99e7cf51e3c8d9fc063446f3be0d807deec4697c5f31f2ad896

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 5a331dbdad92e0d8f6098a229c01148e
SHA1 619d288c0e9ceac8a6fb09dbcb64cc311ec5cb86
SHA256 60ec1a53fd73b70473f247cc96774ce1a038d6d39442542dfd53747e72d99206
SHA512 1393a2331a89c6842219a332eaf753f7a888ea2f0ae3271f0a75024c4c4816c42f066b2c5e0c08cd7fe25912f056c4e7cd1c5d79686ceebe29afe1fa2c57ca2b