4948b4e3b984cfe6fd1372f60b4c50fe60c40bf121075516d0f7e13fe3c64c4e

Analysis

max time kernel
110s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cbc3cd68a4d0a197a04484d9082e720N.exe
Size

36KB
MD5

9cbc3cd68a4d0a197a04484d9082e720
SHA1

5f69f372f763c33629489f4fc5d22f573ddc9ed2
SHA256

4948b4e3b984cfe6fd1372f60b4c50fe60c40bf121075516d0f7e13fe3c64c4e
SHA512

66d1f6ea73023016dd056e734e9055a822bf2659c84f94536a4808c9b86f0e3fe51a818c8f22e8e862562dd1261473830e82a462dbf66aafe1add69329836a3b
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHbkJkFdLWi3dLWiU:yBs7Br5xjL8AgA71FbhvCDC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1754) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\DismountUnpublish.cfg.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	9cbc3cd68a4d0a197a04484d9082e720N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cbc3cd68a4d0a197a04484d9082e720N.exe

C:\Users\Admin\AppData\Local\Temp\9cbc3cd68a4d0a197a04484d9082e720N.exe
"C:\Users\Admin\AppData\Local\Temp\9cbc3cd68a4d0a197a04484d9082e720N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
36KB

MD5
efe0ce845e51c28b1a615226bf982dc1

SHA1
ccf7f9a5fa70a50dfe4659357b97734571fd3a51

SHA256
b417cc584cbca802894a177009f271cdca64ae209c8fe84e7c1f8bd9be538185

SHA512
e8a1636bccd6480ec5c0bb0ea3aa8e059a68c3378b77735b3f310e807dd621d1ef708fcc8ed8c20d938dee919ffa04f76ee5efae1306eef39e087030eff163b5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
113b3e4e9f7d52b56a9b472a51357471

SHA1
81b3a20b99287328c4ca3000861105c94443b443

SHA256
5f9d58d3e3912c468e73c234c6175a54024580563f0622d6477e7e81daa76d75

SHA512
29cf11bc04ab6faf3545f1a545e06c7c15647aefdde5e22337ed5074ac02c558aba97c462f0f2ad587f6afabe54213222f5290ea9fcd5991fdf47d331063cb35

Download Submit
memory/4820-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4820-1246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download