Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 18:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe
-
Size
37KB
-
MD5
d69069dd4cdbc83709033cfa9a9e73e1
-
SHA1
4b814c5cc84c6d116d4dcdb1b581ee3b1773e3f6
-
SHA256
097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79
-
SHA512
d36f672130225717ae5760772a4e1e1a71f228e99fb9fbfffae7dffd71b92d09f3545ef2e488a5a107e7c815a0bdb58a02f744aa1e7241ae552f6ca623ed1d86
-
SSDEEP
384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fL+8t8YwTZ18x:W7Blp+pARFbhBgnKL+8t8NZ0
Score
9/10
Malware Config
Signatures
-
Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT.png.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\7-Zip\Lang\is.txt.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe"C:\Users\Admin\AppData\Local\Temp\097b3d39ec0d14cc5cd7640ccca9776752e9a48445bc951e6fb151600d033d79.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5c4379f48d353f6731375056722ebb74f
SHA1e46204aaa8e3cbb8b2ea5c9888140bd93e803291
SHA2566150a9fbbb3033d05897ef38f5ddc9cc07364c89f14c123e0b9297d7219731c9
SHA5125e1eaa11d9c7a83b7368b433fd37f4fee5a59ff044e5ab36eeb6fbc3fa6c3b2fca4bd509d329286197c12c738a0dc48aa3150f50e5f789e4d73cca23f3510002
-
Filesize
136KB
MD5ab74cb903a9e8d08d75e9d8d79d6fde5
SHA191c35195615ba4afd5411239e3b0d1dffbbd333d
SHA256f68f21bcb6c608f1c2a68f543af9e85eb0a0d9141f8d1ee8ec9d79f87d3968b0
SHA512e90febc88a9e8f4e245502fcc4e4d980db2c73ccf1309c0f4e8345869ccfb7841123b885e2f4991390d0f33dba3c80a86a4e38cb2118bceb1a3548507ae45c9f