430e0c9242e49f1de287191b4afaaab382d4740cd798f976c9d76f5c08c75632

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b97451b9a3b51fda9719c03850a8bd40N.exe
Size

37KB
MD5

b97451b9a3b51fda9719c03850a8bd40
SHA1

dd9cbd396b60f643d2024b5aa83a86a788b896d5
SHA256

430e0c9242e49f1de287191b4afaaab382d4740cd798f976c9d76f5c08c75632
SHA512

67903607c441297328a2c4eb32ae183982c69241efda306f940e9140c9d5f9a46c125f518fc8fbe45ac3fa0f36ff26bfb7ba092589c327d20c8706de8100bb86
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFkvG:W7ZppApBULcfpHLcfpyDr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1724) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	b97451b9a3b51fda9719c03850a8bd40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b97451b9a3b51fda9719c03850a8bd40N.exe

C:\Users\Admin\AppData\Local\Temp\b97451b9a3b51fda9719c03850a8bd40N.exe
"C:\Users\Admin\AppData\Local\Temp\b97451b9a3b51fda9719c03850a8bd40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
37KB

MD5
3ba7d7c672d2e3b45abc92935b1d98d0

SHA1
09a3c6d4eaf6befc63c7a47c6e37c4734fec74ca

SHA256
655d45b0ff6f5b307be8c54c6a4f61acd7fb33bf21bbee2e2e3af196ab4e6dc7

SHA512
4ff2d909d110c0698cabaff215b056dd6efc25902bd6d05372f9561399114d78a27e09ebc57e4a60c74b4fa7236800c8edd7a23d5f6f0f4cee0b18e9d7ca2595

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
3ee0d77f246a97628d6de02f89d808de

SHA1
b7b9cebabd8a251cca726eb077f337d4f5c97787

SHA256
7793fc5d9a95e01ccf510ee0e4aea843aef55db689bf5bf16b93498d2c099890

SHA512
ab5e22108ba8dc7f80ab3ccf15d3eaf05e86a9a1f0251c11c37e704795a3440f068efb256f6e42ea2067e567123e0e2808bbf8ef2ddd42a43d3e5120df4ebb8c

Download Submit