9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
Size

36KB
MD5

b60844e4f7a566caa9dc9ce943089a08
SHA1

fe141e417fff13983000e14396d133b96f173e4b
SHA256

9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6
SHA512

f13f18e594d3ed6050d6844fe519220c7bcd83c5274928168e5b1d4749e4accfe34a31ac4e72f79d4825f7c329eac7c47828f4f0b8033ac21da3949658a40b4b
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHdGeqc4SUqUGeqc4SU1:yBs7Br5xjL8AgA71Fbhva4S04S6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe

C:\Users\Admin\AppData\Local\Temp\9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe
"C:\Users\Admin\AppData\Local\Temp\9d371cf439819d4b433a661e2bee427f3b1adc4aa2885aa6055a2995dc52c5e6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
36KB

MD5
e8d787380b511b2814ad4673a119a7bc

SHA1
fd3abf79fb424a75a0a51e54b464164dabf72c18

SHA256
63711e329d462a56fabfd4a32a298c1a0b2a73a05abf6c771bef7ccd2ee2f6ce

SHA512
9d957f1650f172c5a51a6f211677e4b382099e176d5ba68d7dbb939401b68b09b0e4fcb310e49e9de1c8cb7e35254d0287acb482cd0aabe0a203321555ca2026

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
5c2a2de7abad5b070f6cfa7cd9248cd6

SHA1
71bdc35e99b1ca68f608ed95e69bf531ce651512

SHA256
95fccc21bed8663962805748fb4b22916f8b8f90e38da70de908e2151c158cc8

SHA512
ff6a4ea22e3bc2bdffa328a580a735f4b8b2b861accba15c002c42970bbcce4c06824577e39f2164aa876f168e325d9ec772a36c35dd00a82873bd7517dcedf5

Download Submit
memory/1680-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1680-1964-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download