d79b69ec7a5c3d84074f7c6762066aa9b65482ccb3fb0b43c233276deaff8095

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

930d9d5fa1bad2e37e03f8275b961de0N.exe
Size

77KB
MD5

930d9d5fa1bad2e37e03f8275b961de0
SHA1

1d62b1176e17ea34089a5354492ecce20d844784
SHA256

d79b69ec7a5c3d84074f7c6762066aa9b65482ccb3fb0b43c233276deaff8095
SHA512

d7622d8bcd8a28832b2e00b1b970385ab5b146ae03a6c8cc4049f7de0075b91ed6cc982e1bda8075426a5e178c99d16b9340fc76b6b7ac934bb040ee56ba7b87
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65dyGdykNdNBKggU:69WpQE0zxgU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\gu.pak.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	930d9d5fa1bad2e37e03f8275b961de0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	930d9d5fa1bad2e37e03f8275b961de0N.exe

C:\Users\Admin\AppData\Local\Temp\930d9d5fa1bad2e37e03f8275b961de0N.exe
"C:\Users\Admin\AppData\Local\Temp\930d9d5fa1bad2e37e03f8275b961de0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
78KB

MD5
ae92699634a6167c5a3d21b242a93061

SHA1
b4f6404fa269783aa5d47d3d832071c6ce260818

SHA256
3206d768733ee03533b043704c0d76a96c396e523bf30228c188ea264173b5de

SHA512
c428eee1536aeb79d948aa91d518de8f81ff3f145bf7c2d15014cc114d26c131acdf42b95858f96cc234c5440fc886c985febbd4f9233e6ab371891afe1f89ef

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
176KB

MD5
63bf2dc0fb6b5d227b0b11e9c7cb0ba8

SHA1
41bdc0b5c444013dec9d6201df845ca58ab45503

SHA256
de935aec3580fca944e1bd3f1f85cfe1d9f1b24f90ab3a3ec6153cb974bb23bc

SHA512
27135f12b84446ad7a91983f59583e7eb3a8a2dc80421c7e31fefa5d18b849bb096b8f4de0110199a6147c70890280b72b1ca588f8caff50b242f1e5f6e04e90

Download Submit