d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
Size

73KB
MD5

4e7a7980c152749ea7127e5f6392ae74
SHA1

8493e58c30def15d7c6de75c4ce1bc557d311c14
SHA256

d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831
SHA512

c23c838d39240b0c60603ef8e5790c2d374846f44839a8a5fe29d9ce26b220a6b2063b3e1563f0114b0efee1b7421fcebda577b45ffd4fa3e89f923bc1c20cce
SSDEEP

768:W7BlphA7pARFbhvOsTKnKqtb4HBZjlwGpCYnigugqOzM9bdifwMtxEwJjlVkTZ2g:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjl8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5002) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe

C:\Users\Admin\AppData\Local\Temp\d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe
"C:\Users\Admin\AppData\Local\Temp\d9a66df23a3f945a9ad08ba678aaf65ac0904d524f04325f1c4bb301092cd831.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
73KB

MD5
fca2a82f0a0bb4d46d1776a8c0c5f9dd

SHA1
bef14e5a72aeeb52cc271f80dc94649c9970a89b

SHA256
17108fc7120aaf8498d85c1e3d923d05139b9f6736bcd59c7c2af028a01bdd21

SHA512
5259c1f47b0ed0584e538d7292b24c7f81bc56398135345a4da3158c86c86f23f59d7afcea8e4c1e4257d26f4ce6b408f3789941c480db1c8f0ea8ebfec3ec15

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
34189ee2ce99aa311d0dca5175b145c9

SHA1
00a1226d61fe76367e6e15b5cc9bec24887695f3

SHA256
4a28b754846ae9e13120170386c8d6252b2ecd8cd5d94bd6a9e2918b26a2c082

SHA512
fce47bbd8074719fe238473d68cba35de85f7130768cc8fef323ce609cee2c06fbbf02289b55398ec54f2d02460867cdd516a32146efec3983c8c12c5014414d

Download Submit