0b9e90ec65521f009af7ebd8e75f21b152f511fab64d1da1ea50c47108a4f927

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd16feb8afaf233a42210718585bd50N.exe
Size

69KB
MD5

6bd16feb8afaf233a42210718585bd50
SHA1

ff4f241fec7bc9fb78e9113dc810c5612e084de9
SHA256

0b9e90ec65521f009af7ebd8e75f21b152f511fab64d1da1ea50c47108a4f927
SHA512

3783545b2ccfaf43de7832d0fe1dbcab7fa1b0481a9fd6110a29dec86db266de9f3b739884147e0cb03b5694687e3041d18e7cdc40d62fbeecb7675c3f1be6c1
SSDEEP

1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvG:6NLWpCZIzjwHwU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd16feb8afaf233a42210718585bd50N.exe

C:\Users\Admin\AppData\Local\Temp\6bd16feb8afaf233a42210718585bd50N.exe
"C:\Users\Admin\AppData\Local\Temp\6bd16feb8afaf233a42210718585bd50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-195445723-368091294-1661186673-1000\desktop.ini.tmp

Filesize
70KB

MD5
aae6a4eb17470e7876a22fd48fb13ee2

SHA1
2055773877676ec6936b37f7abf372eea11ca702

SHA256
320b23e7291c65ab791a1d3ad3a59752e72c92b6e6a3ae6cd4bc2bdfe7d86ce2

SHA512
c1971ce9e440bb0e59afee7f46b4f876590445433cc2589a6e0adfe4d317069700938572f6167ee1deec3370b8c5f9bec0461bc85812b2cb7caa232d4a5da218

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
fb1861e70b9648c94c676f3beb7f57f6

SHA1
52b04928d15701b50fc7ea946b3e159003964d6f

SHA256
2d9772d0b5248828752fac2187795eb04cb5dc016d0a1d3f04685b3df307ea66

SHA512
78cc981adebfaef6983de5ad3e8abacb2f3de836d7c351f4ba7370107c600777c98f391afdb4866f8b19b3b1d36d29997af9532a2ea591b9c15bec929664eb12

Download Submit