c073de727a89287cf50abb126bfe9dd3cdf7fa540635111f6945bdbb55c69149

Analysis

max time kernel
31s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 08:30

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6e32943f366ab2685a33c83787075670N.exe
Size

38KB
MD5

6e32943f366ab2685a33c83787075670
SHA1

f1f9e1d205c31558c5470a71ee0dc830e7be916a
SHA256

c073de727a89287cf50abb126bfe9dd3cdf7fa540635111f6945bdbb55c69149
SHA512

38581bfb338dc51ae485d691b5ed90ab6ba82323e410e8b8da4d19afba2396589a34b87624eb10cc0486083df2ddfc5ac60feeb120f82c0323bcf16f45046e12
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLUtO:W7ZppApBULcfpHLcfpyD3tO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	6e32943f366ab2685a33c83787075670N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e32943f366ab2685a33c83787075670N.exe

C:\Users\Admin\AppData\Local\Temp\6e32943f366ab2685a33c83787075670N.exe
"C:\Users\Admin\AppData\Local\Temp\6e32943f366ab2685a33c83787075670N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
39KB

MD5
f622d36af38834b0b41803bc824cd866

SHA1
b1de5f36e992f6565f6b5730037bccb596a860ac

SHA256
ab7652b1b9261f60c39c4d927e5ff41cfdaae76c3e8694710d53428d603a523a

SHA512
d3deb49803874f875d8f81e9671f3fc5d7857c0436c001e50fd9cca4b27ad26d2e5c1c81844a0491fd016680b53b31600ba2a92bb812059df41318ec4f4c3b44

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
d250250cd24910eece069965611a8cc9

SHA1
0f69857144a1525c6013e8d2d2378b3f94f0cfa7

SHA256
b62b2b9773c8434b646da4ddfee34f120d71da5612bc3ad019c786fac2412d95

SHA512
b94b6f4e6cf10dc509d6f7409013a24a2f3b3877c94bfa721ef965942b1354ef126cb57807d68a44b5143b78228e75463d0dd9cbfbb7544225e081998fba8481

Download Submit