4ac4a9ea6d1a68a99a93f8f78f3db8c94580144dc02701bb88f99d36c9bac35d

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6669d9172aa5d6af07df20b277c072b0N.exe
Size

60KB
MD5

6669d9172aa5d6af07df20b277c072b0
SHA1

e2c0d3850a8b110c304cac6ef5e418e74af0732c
SHA256

4ac4a9ea6d1a68a99a93f8f78f3db8c94580144dc02701bb88f99d36c9bac35d
SHA512

cf9bc4fcc7c7913ab291d393535eec5fab9e2f39d8f5ab9de1d5f4ccdc440fb9fcbd6917b8fc13808f16d5eecb51b77c6bf68814b7290c48c4150c9eb4bb26d8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/ETfq9T/:W7ZppApBULcfpHLcfpX2/Nw/NwmxR2/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DenyUnlock.asf.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\AddApprove.jpg.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	6669d9172aa5d6af07df20b277c072b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	6669d9172aa5d6af07df20b277c072b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6669d9172aa5d6af07df20b277c072b0N.exe

C:\Users\Admin\AppData\Local\Temp\6669d9172aa5d6af07df20b277c072b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6669d9172aa5d6af07df20b277c072b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
60KB

MD5
c118fd1ab83e8f2286457510a1940438

SHA1
997204aeac4968a3155a14c2aa0e4a05a9188984

SHA256
f69de14b0ac14e495f0250267106f201541b49ab470bbb798200a118b38ea9ab

SHA512
814db8bfc031b849b7b79d5f84813a01daafa17056c2d5114237c1831145d8acecdfc75cd900ca91897d50a445bfeaa2e5a1bc4f061e2b816562dc3883547b2f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
159KB

MD5
fed7c67e4b32c3bd269dda01fc6f5da7

SHA1
a44ffbaea28f0180db941d72fca40f926801534d

SHA256
e2132c26c30446ec8fc26e8f6a14e283d00b59087f770d3651a7a65c8dec51e2

SHA512
44762918cf6cb8913033513e590fc5e29002579878bc5e9cf4c287b68130e05e568275a0df459d5aaa858f468549d47592bcf9ee4c5a98ccdceb35d7f9ae4cf1

Download Submit