ceb8dc6f4126b70561d76599b34761cf63a04d40b5dfa37af9e5394c9e10f381

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 07:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

669d92414c27c1224cbc84c92efe8550N.exe
Size

99KB
MD5

669d92414c27c1224cbc84c92efe8550
SHA1

c12987ba23cac1f13b3513c72eaec8dda252debb
SHA256

ceb8dc6f4126b70561d76599b34761cf63a04d40b5dfa37af9e5394c9e10f381
SHA512

955fa682ec40efb095c29ea23efa6b7e157c9fb9a77ac49b20ae28e214397ca77c46af36426abf2f7adc2278da66a2898346bec1618bf5b62b66f5b541b2622d
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBz:PqFF2Ie+effyx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4562) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	669d92414c27c1224cbc84c92efe8550N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	669d92414c27c1224cbc84c92efe8550N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	669d92414c27c1224cbc84c92efe8550N.exe

C:\Users\Admin\AppData\Local\Temp\669d92414c27c1224cbc84c92efe8550N.exe
"C:\Users\Admin\AppData\Local\Temp\669d92414c27c1224cbc84c92efe8550N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
99KB

MD5
eef2988028b13bf71553508b7f762e4b

SHA1
434af2d0bb5d5acdb7d14191f4a225f52085776a

SHA256
833495c557b432ba1e15118467180c8e83caeb8a5a0c1b799ba85d6bb2db9e35

SHA512
8751782e69af2a96a3b4f655a7a998a75a233620c84cdeca0d2cd2d915ef455800b51846e8073c67873ac8490ea2d5200fbe3e70b25c5f2a7a888171f835b4c2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
198KB

MD5
e14ecb9e53afd9af3e7b5a9cca6755a9

SHA1
fe1f72a7172e938309650533b2ddb8856210bd79

SHA256
17854de96ab9134b0265442a1909c032afcbb01f9f3afb25672ddbef1bd5b7ff

SHA512
62b353b51848b0a5ddcbe0ee9096b91af05f84fa3415b3f5f6ecc58d5c5c9b6988b24586e4915029bece30ff53ff0eb8cbafee1d591a20716c8b91067e7b47b6

Download Submit