5f9fb30684852ec6df9b97d368c5cd1e5149103bbe038712e6c10e8ad0531376

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
Size

47KB
MD5

6a1b90edd27e7d6ad51e4f3fda5bcf60
SHA1

d84682c839582ea9dfc0027c918d7cd5bfe399f9
SHA256

5f9fb30684852ec6df9b97d368c5cd1e5149103bbe038712e6c10e8ad0531376
SHA512

d097ebc5cbed8fa89c42f8a0f9fa7b3145815c15a241b98d85a352fc6fdc8708029a04be72007c590b56ef89c84bc23c2f9280a59f8c62593d01f32f143856c5
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwRJofJoT37W:W7ZppApaJofJo77W

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe

C:\Users\Admin\AppData\Local\Temp\6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe
"C:\Users\Admin\AppData\Local\Temp\6a1b90edd27e7d6ad51e4f3fda5bcf60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
48KB

MD5
6ce92633c6841963d1dd6efd19640141

SHA1
cdc51c6f123e90bb33268d2da7d15b25d290b745

SHA256
1241c6addbfad945e7c5afbed412ce847d43267359e9e5fc8ba6f1ae3e8f852c

SHA512
928a7db71d18fce0a146261d0c0a438ff8838ab90949fc5f5fd963718d628eac09ab60902654913e72b8ac8fbc6ee91def7fe81dce646ffc66ef1e6718de51bc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
55b30c48cb6bb052159d84ce3a9c9b1b

SHA1
a2eaf06ecbda11733fe239dc130311eef3cf0792

SHA256
7e8205e892ed590b8c81b793678d58d18d3f61f64562fa4b1b2d4aed338fc6d4

SHA512
b4b4609510f49aa4c7efa39e21a0935ecca610256a9b8c544eba742af0f8a4e623470d7339447263c8370b5cf02ad7c1bdb02f184040284dac91268fcd927c9a

Download Submit