9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
Size

47KB
MD5

6baeecd5254ca58bacd10febd03e3a31
SHA1

f9fe49c65dfccc99afa7ea762f488dbf3f38f27e
SHA256

9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134
SHA512

5b7b912164b169d907ece7f982a44876b2f349674fff7b5ae41fcd0aee158a79d983cefa746f4767280c51f55e260bbd3b55c6070f49faf654f3d2677a209d28
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJr4S04SCzwzW:/7BlpQpARFbhq1KX101GIW

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe

C:\Users\Admin\AppData\Local\Temp\9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe
"C:\Users\Admin\AppData\Local\Temp\9b02efb88ad8498f550b23726e88a40da1c45a251b49d39ca1981c4399e27134.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
48KB

MD5
c9930d63029b80682ed18e1bbe03850e

SHA1
beeb9198a9669ff2de1c8a475a2c617009762a76

SHA256
0047d5650643accfe07687661ee0d721b7d3fc8e5f572d323978a529cd77c130

SHA512
a19d723cd21f575eb62c367c4a73201ccd1a48b6f3158a07131025ebf1a88fc1f4710dfece9cc7801971ba3b5a9238b1ad32e0ea18cb27236facfcacd61cac1f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
541682e630bd1baafa7d4cacbde19f42

SHA1
7fc9673854adab14b292661b10fe9fcf8d6e5130

SHA256
c0e2574f466ba5b5386196bcc3e711f36733be9817743fd75e2555e5981a5413

SHA512
e7caef4eb4b8b579e5e331088e28bd4da111e055d05e49846918013a8799fa7ad7c53df2aa41ae102ca6f2e40c04f1dde904ac431df94ca27d5abd880457c793

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2232-2030-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download