986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
Size

82KB
MD5

f9ee1e38b2f7b3656284709bd363c23c
SHA1

42b25b02972b7228b9d45f25cc5fd75678e18ddb
SHA256

986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34
SHA512

20105ce94eab649bc97561b84e4bbf4112995b7aacd53a8d7ff2c92e6969331af8fb2aa426125a5687893aeb11923be1bc5013b96730c49cead3b8519a9595a7
SSDEEP

768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmhWfxRfxenTs:W7ZDpApYbWjIoPyPoLzV7c6ShWfxRfxR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4716) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\LogoDev.png.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\am.pak.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\nb.pak.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe

C:\Users\Admin\AppData\Local\Temp\986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe
"C:\Users\Admin\AppData\Local\Temp\986bda01935e6142f2c387c76349925f78230f05c14bb75e6c77591f759c1b34.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1266786182-1874524688-71015548-1000\desktop.ini.tmp

Filesize
83KB

MD5
83edc0dbc62cc70e6fd06c0ce5d1bd40

SHA1
bdbd5f73e6fecf442277d983263c14d8be892e42

SHA256
e9de8553856b580f1475c15c2f4397477e2a1fe53a5169061d8a1c96134bc4be

SHA512
c6baaa9b2149dc97803fb6ab331c576eafbd72946e0b835c718238bcc261b07ee48920d63a518f6c1eb2b099d425275939f2e2c29109e9ac8eb8c43cbfef8596

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
182KB

MD5
03b13527240a44fcbd848b6d0e3d2c6b

SHA1
0255f9394ad7e3b3afc1d7e8c9cb2125451c2fe3

SHA256
946f36a2dec3693d2c9b4e6fa4cc6cf5bbc1d7d699300e04a2b3cc5f99fc2f28

SHA512
0aa41d078b24d3a0b9c99cfd7c870cc6228e931ae0f72c1b1868a1265d012c5124bc6233098f96de9c725c417bf37b18c6716cacd745992da2debbb139a0f17e

Download Submit