92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
Size

44KB
MD5

644187f4e4a591e3a3713652c8392bed
SHA1

6ae028dcefc3004a4c2868a1944b390b3b5cb11a
SHA256

92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa
SHA512

acc03e834827afb6b5e6bbd19e5b9c050312b81ee6a901063f02c41270a7ef708367bde7991b875b8a0a26f6743a685d6c792bd8b09ae97e47ec06759febb15e
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0IIg:/7BlpQpARFbhNIiJwsJwwnZj

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe

C:\Users\Admin\AppData\Local\Temp\92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe
"C:\Users\Admin\AppData\Local\Temp\92a34b566d62d0d68ddee7c5640cc6fd209eda11abaf41136ea6a3675e6853fa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
45KB

MD5
104b8892532ead8a7efd2f4c6deda7e8

SHA1
88fdf335b21b428a0fcdca86dc108788e8a86f5a

SHA256
0ad213307162957ea7da29403b83b48bc5f881d883d6661135b125a1bbdcdaeb

SHA512
9e53130c8bd856987a9d8b93cda367d6b36d930ed115ef9015bb21b4ec5aa74846fa494ea3320f84f53c6fd384127effb9d3733a2544e4596924ee29bf0bfdce

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
667fe16861c0ca59dbffc5bbce40876b

SHA1
09b70f9e6bffa5e82cc2755ecbde41bd8627ae92

SHA256
38776889dac5f3c85cd63e6530b679c069007b53dae7f4fbcafae008e69b3bfb

SHA512
9dccae315bb60276525eac917d202fcb29405911be1e272f20fac672f4374f8afb8b2d03379f542c243e6f2b2c1f7bf1cf3f88a1331dacbfe940245f7a6a981c

Download Submit
memory/4684-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4684-1956-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download