Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe
Resource
win10v2004-20240426-en
General
-
Target
6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe
-
Size
83KB
-
MD5
0c7eda5da54d685ef9468576867de416
-
SHA1
e8153b4dd90914af0d9ad6c5f73c5255300e83f4
-
SHA256
6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a
-
SHA512
fe06350d03f546dd027e8abdeceb04ee8eae309db5de7c2acfea1e9849bcc761d6c1c52d13a03ff5194a910a103be9b870feb0eb126a1ba8f11785adfd83d2ac
-
SSDEEP
1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhr:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsq
Malware Config
Signatures
-
Renames multiple (5184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\7-Zip\Lang\be.txt.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bn.pak.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryNewsletter.dotx.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp 6981d3ae4b84361536cc3c2079b54da9981958318cf14fa3d0dab3db85e6168a.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD51a4a2dc37b1c3f66dc53ffcf622da288
SHA1f257da3d15cbd21d8f981910bf5998ca61d208c6
SHA25651021432602e35940ee08c028297a6e447501c7c4cfc75e3127ec846f2d2a32f
SHA51231d64c816fb74484c650372a5d3990d82edf41012b1d67d3a7e730744283075590e8a03f12ab75eb6072b06a301c4846c91d9ab2de4e5b87a26abdc308046866
-
Filesize
182KB
MD50b4ec02fd1aa644fd23823fdf95f00a3
SHA1acfbdfb5ab42d05d5a864f9fffffe4b859a4572f
SHA2566c212b426a50cccf0656f27e575f729d34035c3749f257ac7d51acdbaff520ec
SHA512133d26f82b1336968fc41ee4ca84cce1156c894c38f7515ca2616d0bb0aa1dee0d0180a3568a001557a0fea43df989f4d2e5b7109e14c0e2cc0dfd14c3d62e71