88536dd57c64f5884101ecb39e8e8d0976b4f5552e46e0e2f5bdb0a8e250c492

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b24409cea294b484d17120fedf3a830N.exe
Size

102KB
MD5

9b24409cea294b484d17120fedf3a830
SHA1

813041cc9f557e05625258c06d6c6bc16b374925
SHA256

88536dd57c64f5884101ecb39e8e8d0976b4f5552e46e0e2f5bdb0a8e250c492
SHA512

40dc0619266a485d35ac9aacec8fc02b3468f9ed3537855839a0f2de66030933103eed0fea89eb9685a21d8811afa88b99b1de68a36ec8365334d1ab3ced7d54
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/8z3MLyPjPY:6DWpwE7oL2e+efZwZ08i8z3MLy7g

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Google\Chrome\Application\debug.log.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\bn.pak.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\optimization_guide_internal.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe.tmp	9b24409cea294b484d17120fedf3a830N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	9b24409cea294b484d17120fedf3a830N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b24409cea294b484d17120fedf3a830N.exe

C:\Users\Admin\AppData\Local\Temp\9b24409cea294b484d17120fedf3a830N.exe
"C:\Users\Admin\AppData\Local\Temp\9b24409cea294b484d17120fedf3a830N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3881032017-2947584075-2120384563-1000\desktop.ini.tmp

Filesize
102KB

MD5
f5e03173eb0ef9232483157c1936373c

SHA1
6d2f9964acd0970bd3f98b0a478585a9350dea43

SHA256
614dfa79ab24e54bc9fe90b6dec5a5f8141d8e0ce7cb6e5ab26318dfa777a23d

SHA512
66884f5ff6e883f19ad0fa3516dc8275280c7ea25add3ad297915a78f891d553e69ece9b31aa706370f98f99190b4e2f0288bbbfbfc119ed4e2f6b106930cdb1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
201KB

MD5
894ea847ffe643cecdadf8f36355f41a

SHA1
517b53f7f85b29dc5e66b84f27a0c3b3d875aedc

SHA256
7df2d1a6ee0baa5422596df17b4cc8654ad59c818721264b9f7851b729c7798d

SHA512
4a2d0f249c9dc42b076c539b00fa3afa488b468513af47e8feb3beae9b3fa84cd7690e6046f2b6ded07aca9012d9e951a3fe0b51f5a2bc1c9ce0340a0dea1ab1

Download Submit