d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
Size

102KB
MD5

d1c8b9319efc2ad923c6b00c28887c5f
SHA1

0141c1488743d03898d8f10bfde284e4bb28f572
SHA256

d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409
SHA512

ea190937c7df13c023ae4484000315e899e8db9d68f6fa21db68bafbc564b457fe6651597631e09c6910d4ba481eb25098ad623a77cdc585428104f3ff8f5653
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBm:PqFF2Ie+efsim2l

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5033) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe

C:\Users\Admin\AppData\Local\Temp\d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe
"C:\Users\Admin\AppData\Local\Temp\d6442bf232a69f4cb21a4b47d62aa90e39517da33fbfbe76dbf3809e78d5d409.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
103KB

MD5
5454f8c15e8dc82ec00f428858c20507

SHA1
b2457a7eb5dea9426534f8ff71789e7ca5b4d1de

SHA256
e9d553542acaf8e5143bfae6d45e541a4022257f15e195f97ccb70456db1e254

SHA512
23c7654bda1a6e43a65b5759d3567512d8a3448a7903bfee1fd977eebd69db8a5a066fd26c989eba1694bce8b434f213ca84fd391f0a6f3f971d2e574228fb1d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
201KB

MD5
d84458a4479041e15ffa37f862e9d55f

SHA1
4b22121981a3264a6502d02f8af6d69875e1da81

SHA256
7d621da958446ca7fdb42e61daf096a2d9bf840a448b1543edc803bc32e12936

SHA512
e552d29e88443d0d74d46e99932725479d950f28daa238286bf355191d3b255279d0ad520a7949bce52154878f255ad17fd53ec2c964080c68bbe76180c767a7

Download Submit