6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
Size

93KB
MD5

76b695f9e2134a8c2b9320c45bbfafd2
SHA1

32db64b69f67fe8c42eb7aa875f2f1263c636ffa
SHA256

6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e
SHA512

f33ad36054ecae08e2dc4be88b6e934d3e9f220668490e4719e7f1cd0e081316a59428b0a95853b32f9ca36c3356f83dcd8ced0d04aefe81112157601b93efe0
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6ShZQ4PN54PNx:6DWp4WP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5061) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe

C:\Users\Admin\AppData\Local\Temp\6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe
"C:\Users\Admin\AppData\Local\Temp\6c18732e8280dd420a84fd5498e1a4f6df824f12d9bf617d5ef47faf78b4b78e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
93KB

MD5
87a7977f6b69a3e188f2fcbf9a432ad9

SHA1
7fc6d6132cf5a6fd63921a0c53182bd7e27ce6cb

SHA256
2a2220651166ab5686b7923f8621af571dd11d8f7e03a41b924c768f7b99ab2d

SHA512
b30e231be6f82033da8d9ea082e5a55e9cd3ff40acd66bbfc59998f23e431dd6b64f3934b905efd5f880fdd29d1278b1f07591f0bcfadce958cbc903e0acc56f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
192KB

MD5
368a5047e2730e38726164838e0712a6

SHA1
a775878715ee236946336825afb3ef6900a4b85f

SHA256
6085ffaec0b4f57606033ae54b797fa619f3dd6651b4db2804ed70fe062881a2

SHA512
c324f738adb73bde4e1e9c23b2b089a0bb87b962cbf969ad0269517680377a1af67a00fac8b1c8cf1f27e66f4a4211fd9e80b3e13bcb23d9f3e74bad17c0ba67

Download Submit