6f7241dc528a8897133bfcfc91e85b18fc6ce295fc897a6161a83a02ea9832d3

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88067ba0c9ac2f33491280b383d21270N.exe
Size

57KB
MD5

88067ba0c9ac2f33491280b383d21270
SHA1

bc69bfa77cce5ece9ddac0306cbb8f64debd7be1
SHA256

6f7241dc528a8897133bfcfc91e85b18fc6ce295fc897a6161a83a02ea9832d3
SHA512

5059ba3a1ddc04360b45ffcbc69d4d4dfc173f176f8f610a67591c4bd8e66b414c03f341699bbad385084ed2f23b228fa721dde50f45e8bc301cb6d03f1d3847
SSDEEP

768:W7BlpppARFbhwEnAAJ+AAJ9vcYNnVvcYNnfy7/Y:W7ZppApwEk7n97nJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4013) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fr.pak.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\hu.pak.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	88067ba0c9ac2f33491280b383d21270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	88067ba0c9ac2f33491280b383d21270N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88067ba0c9ac2f33491280b383d21270N.exe

C:\Users\Admin\AppData\Local\Temp\88067ba0c9ac2f33491280b383d21270N.exe
"C:\Users\Admin\AppData\Local\Temp\88067ba0c9ac2f33491280b383d21270N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
57KB

MD5
ad5125361dc6e8852f735e0ac17d2cfb

SHA1
b8a3ef3f4333b63bc3281df9c3f58b8a98b44ad1

SHA256
ce5e6a6ddf470eed8e3751cc16b24dfcdf63d0f0940b475ae698159219726b24

SHA512
48d651a5dd6e7f891d84171b5e43566a5525055038a30ad19ea98d494db4935e78e10054b563d2cb9eb1cf015cf897be6946c17c832012e80eddbdefbc4092ea

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
be84fb27536bb342d44d99d153c8f573

SHA1
f43abb63979ea0759193c5a2db1ce024406537b8

SHA256
93c563179d99ae5f5328e422e0ce590f76f209049fdc5555a96c234c359385c5

SHA512
06a26277597357a91bba9d2479e6d0a09b85783e2842a979dc46e5b551abd26f9785d62502e56a62a92b42b1df27571c778d709ebcbd11225a0db42f84959691

Download Submit