a097dd40c7eb68db26315413e0c5c86977489afc77b92ebeb66452137418628e

Analysis

max time kernel
120s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

997a54ef3b0699a5fb43aba0925f1d70N.exe
Size

40KB
MD5

997a54ef3b0699a5fb43aba0925f1d70
SHA1

72eb1bded41be78364fa347027fa31580e4e5f3f
SHA256

a097dd40c7eb68db26315413e0c5c86977489afc77b92ebeb66452137418628e
SHA512

7f79250925c87b1702bd237cb465c28ef472d4384c4c55dc8bb2b2f4d58cf83eed93ecb0163f955fc28bd4203a367116397787620e1390cfad35d9e0f0125ea8
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHBDPeLS9I/sExeLS9II:yBs7Br5xjL8AgA71Fbhv3UnUN

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	997a54ef3b0699a5fb43aba0925f1d70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	997a54ef3b0699a5fb43aba0925f1d70N.exe

C:\Users\Admin\AppData\Local\Temp\997a54ef3b0699a5fb43aba0925f1d70N.exe
"C:\Users\Admin\AppData\Local\Temp\997a54ef3b0699a5fb43aba0925f1d70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
41KB

MD5
fe4ba151451dc924c4531d1757110976

SHA1
f172b1e34a97920dcd78acc30b4b4e3ad13ac542

SHA256
a8be5a840bdadd89285929e6937e0e85a0fb0f02b55c275d9c3998f074c86347

SHA512
0756d12a1fed234f5a760cdb17ac6cc82cc39dfbee2876da3526167c1b95ae0e19a074565efe4e4e584e7d06b87d261bb79d81cd2a322449130f4b575d5a7881

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
fb8c9c879d5cbdacf0ec510e59bbeac5

SHA1
86c0755fc6d0ca6bc15f0f019bbe5004b4882695

SHA256
175a05400d7a38f0a9017eb03679e52c1cf471b00e518c544c45e5646536a183

SHA512
c3e6aa4388d0198115abfafc82ff1e920e623eaa8a24776d07c9f67aee26d6a0018c78efe283e8e335e0419c004d81ee944a2dfd8e42f92a197b77f3472bd52c

Download Submit
memory/1916-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1916-936-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download