6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
Size

49KB
MD5

29f1307d43ae0d00c3676f9b64175921
SHA1

67e63e8f88918d870d48cd8691f4efa470335796
SHA256

6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0
SHA512

990ae9d78f299594f307437cffa3565dcaebcf9f169b594de7fab99a80aa2e0ec76101c01c587512ea61bfa4737e4b5967d79c69af1c87283cce49a040d504ca
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJr4S04SCzwzwl/Nl/Y:/7BlpQpARFbhq1KX101GIGjY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5293) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe

C:\Users\Admin\AppData\Local\Temp\6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe
"C:\Users\Admin\AppData\Local\Temp\6d79c7b077c21e4786f0da8be2b2a141c7a062321161064fbbaaf12e9d7befd0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
49KB

MD5
e9857c24f5dacc5b55aa15a52821a53d

SHA1
798fc70691485f9d20918a5ba7e03ad8f84f3822

SHA256
0c4043120bfda0a95250c565d113758bfd1dfe88d833f01b11a2e68b5c664d13

SHA512
2c36a70f7a5d4c29b5b843269e24d7660b46beb273309128a90116468be3920e49cb036705480486ba06ceec6c58ca1b18ab70ee8126ad6fa4e6eeeaf656daef

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
92cd4b52b7c062f2168e5c6e9438b414

SHA1
3768b7219e43bbca9d391f73aa1f472ee0b65bb9

SHA256
1bdcef3c1f136d1672cd3fbc7af356066d971700ac977ea708b36147b938efdd

SHA512
e3b339b3e245d28d89076d5745b72bbdd95643937676246bf13c19246d61a62989a5d601ea330e09cebac67b762a58e4f344df5b23f70afcf88b7cdafbdff22b

Download Submit
memory/4980-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4980-1976-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download