8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
Size

68KB
MD5

954d9d976cfe3694d954c9998d96eb0a
SHA1

ef769b39e9415687be7bf906627d8893ad42d5ea
SHA256

8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6
SHA512

f8a69fd5e020bee5d00d07662008381f79e97eebdb273994702e6583978dcf7228b20adadeca300c38a785d32ee5338035590d1a706c56d5c2c9f3be3ce99ad0
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJ9VD6NVD6GUhYTY9:9QWpze+eJfFpsJOfFpsJjub89

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe

C:\Users\Admin\AppData\Local\Temp\8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
"C:\Users\Admin\AppData\Local\Temp\8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
68KB

MD5
9ea4d3c0fbef2d8d9373e2c184c47d54

SHA1
68c263fd05bb18cbf10f3dcb327d2f698cb7f3cf

SHA256
d898420cb715af4272eeb32805c1d4ca6036c73f0ccadcf4a2defd91d9196122

SHA512
5484a35a2bebfb94230ec69d1a5407782428eb05d2080834585b0a9707689d68ffb1ea8f699068e443b64a7f115dbc9cc47fec3400db217e70a1e9179518a0f5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
167KB

MD5
93da4a035444a0fe588517301f8c47de

SHA1
405334c85ea8f6e739b27a254bfa866387ab8726

SHA256
0085b9c9dcfe5f62316f4cbad594513e150294822750ca35fca4918ac7192ec0

SHA512
4379315f61212c9715270230dfe26a3709a028c2ceeaa03c0e90dd614ed7d8f34f142d221eb254d65f7b9872d92a001283760c5b436b8b39ebb90af09033b291

Download Submit
memory/3268-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3268-1964-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download