Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 22:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe
-
Size
42KB
-
MD5
2c24beaa58c93997392b97f20c350c54
-
SHA1
dabafd998a67df8779b6f7fb043f94d2c89dc5ee
-
SHA256
684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7
-
SHA512
ade4867f35d269ba746bc484b6021fc94e031f9679d6de21b003d4f6cb67c0aec67751b4b38315e0ca920ce65a0028ec7dccdf6127da3446a1ea88634ed6f733
-
SSDEEP
384:GBt7Br5xjL9A7AgA71Fbhvnqj7jU7ubTAgpbuvx10AaIdKB7ubTAgpbuvx10AaI/:W7BlphA7pARFbhL801VvM801Vvv7cYl
Score
9/10
Malware Config
Signatures
-
Renames multiple (5129) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe"C:\Users\Admin\AppData\Local\Temp\684b4d5aba8eab2a5019beb2e9aa7bc1a91d69478ce9fc985b63c03f6fda39c7.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD51cd10e8c37b04eda8ff31746d8517c50
SHA119d96c94945c6e835680df35117581eb0e13b78a
SHA25664123fe6420cb5e26a003ff1c9d797951093c8cc4e0f151ceffa63cd1132ae75
SHA5128da8bd95242730a38e37bb6ab90b1d169b3837a7f76881bb69aaee00a59dc52104913e8823d41e36909b28fb28d64bedc7692dd2d7dcb21fe75741356f9b6ffd
-
Filesize
154KB
MD542b9d851a2d725a2214cb2e801a1ec84
SHA1534fa3d64ced002b41efa08c5991d7dccf946421
SHA2566bc50e10c3c64ae00790a6a09dc9d31d1282ee4e4b38df9a201d9959f75f66b9
SHA5126a44cf141b1509c9207a6b8ce4b5b2bc10d69bedcb77b925eaefd51b72d58f83b03791e82eeeb95116d1e08355ae6ea2f733cc8a67b9c31a6e80e3318530ae97