89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 00:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
Size

106KB
MD5

2073e1939210e19d7d7c552d55cbde3b
SHA1

c29782d2dd220ca3fc45f86d992c6cbcc684f8b3
SHA256

89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444
SHA512

d77298786dba5e2e6f33738d76bbee7ed5741fa52f9b0d34f5a755d54fb003b0503fc84af250965a9a1358a2b01ee0d0d1844c1fe5aa10f0b5f1702ed78f6b91
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZOf7fm:RqKvb0CYJ973e+eKZOf7fm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ca.pak.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sl.pak.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe

C:\Users\Admin\AppData\Local\Temp\89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe
"C:\Users\Admin\AppData\Local\Temp\89cf630c37d9644c19c1fd95f05bfb9341ee6e537dee6be496488369faa87444.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
107KB

MD5
858fccf46d5b9e5b224da038c47a7a36

SHA1
1690066564055caa771e3533f8084c13f25be4e7

SHA256
37b4fca1729881755c8d3648e5108b763384f49e696ac6c3a647303dd511829f

SHA512
ad7b8a9be37697e4e2c3db258b7c62235be476896be6af4a8983dac8f0fc9888567bd2fcd13d1f4d73567d3ca83964284154def0825d2cc8b17804fe9de35a6c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
205KB

MD5
31dcb7b2aec8e8b7d039ca4fed9e46a1

SHA1
16b7d85e5309d3e7a9a1b8af251cbfac4c7b110d

SHA256
22993e12b3b550fdf138dfd988ffdedcd97b20ab746ae75d8ef4b5e1d359232a

SHA512
01e4aaecac23b1dfac8d9607c8d7ded889e72a40f259ce1c638bc76fd652c19c028e10806e16d0de1ff00ee8da56fa425c86746ec277e39a238c9d8d82c9fe17

Download Submit