91b520d1905edda4a5e839da333fc8af4ada75db7a17c70be378827c16754e5e

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b39e20e0353415673b72587e926dbb0N.exe
Size

55KB
MD5

6b39e20e0353415673b72587e926dbb0
SHA1

6b18eea6485201a9b880242d1a94905806d90631
SHA256

91b520d1905edda4a5e839da333fc8af4ada75db7a17c70be378827c16754e5e
SHA512

d05a6450f8c5511140fa5ea5284243831523e0bb1a49a5c68274f647c13cc1fbd3cec4fb0de2d5f6d23cd54e325a07cc79bd29416e83a325cb9d4ea2b79f76d7
SSDEEP

1536:W7ZhA7pApt9uw1vo6YEBWqQA/QZl5LenTpnDr5LenTpnD1UpCUpM:6e7WpHusA6YEsq5AN

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4538) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\InitializeRead.vdx.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\desktop.ini.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	6b39e20e0353415673b72587e926dbb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	6b39e20e0353415673b72587e926dbb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b39e20e0353415673b72587e926dbb0N.exe

C:\Users\Admin\AppData\Local\Temp\6b39e20e0353415673b72587e926dbb0N.exe
"C:\Users\Admin\AppData\Local\Temp\6b39e20e0353415673b72587e926dbb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
55KB

MD5
aac46d02602df21f24c98a9babd06e77

SHA1
9c7c7b3617bfe39ae93704af2ddf453b39f5f236

SHA256
7080d106f04bdfec057686f1befb2cdbae2a5ac0277b7586de55e952109f3bb1

SHA512
17ff049822b6c4904fcf4d5db46d78c022dff9768c959a294c4220f79458f02eb08596d3a266424d2d76ac4484ff71169be43ecac9b7e9582ec585169d168fa4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
872f89c919148f5d93fbffd28a3beb1f

SHA1
8036bddb82733f64671b9088ab65a2ff2045e19d

SHA256
d09eefd798d14774b9d61f13ace2ad8ffd5320bbddbdc3a5473dade200ef6f7b

SHA512
3c4d2dab176f95bc0b2f3e6d699891d63cdd20bcf6cf537aebad943e43bee00eac0185fbe04420df60c550aa03d5b025b864746eadaf653341bb8a67f44a4059

Download Submit